ARM64: unbound 1.19 up but unhealthy #5649

bundyland · 2024-01-18T08:37:17Z

Contribution guidelines

I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Hi guys,

first of all: congrats and thanks a lot for the official Multiarch/ARM64 release of Mailcow.

I have justed installed Mailcow on a ARM64 Hetzner server and everything seems to run smoothly. The only issue I have noticed is that "docker ps" shows the unbound container as unhealthy even if the DNS resolution inside the container is working fine.

Even though it may not be a big deal, I wanted to report this error here in case others have experienced the same problem. 

Thank you.

Logs:

root@m:/opt/mailcow-dockerized # docker compose logs unbound-mailcow
mailcowdockerized-unbound-mailcow-1  | Setting console permissions...
mailcowdockerized-unbound-mailcow-1  | Receiving anchor key...
mailcowdockerized-unbound-mailcow-1  | Receiving root hints...
######################################################################## 100.0%
mailcowdockerized-unbound-mailcow-1  | setup in directory /etc/unbound
mailcowdockerized-unbound-mailcow-1  | Certificate request self-signature ok
mailcowdockerized-unbound-mailcow-1  | subject=CN = unbound-control
mailcowdockerized-unbound-mailcow-1  | removing artifacts
mailcowdockerized-unbound-mailcow-1  | Setup success. Certificates created. Enable in unbound.conf file to use
mailcowdockerized-unbound-mailcow-1  | [1705561167] unbound[1:0] notice: init module 0: validator
mailcowdockerized-unbound-mailcow-1  | [1705561167] unbound[1:0] notice: init module 1: iterator
mailcowdockerized-unbound-mailcow-1  | [1705561167] unbound[1:0] info: start of service (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705561171] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: service stopped (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: server stats for thread 0: 417 queries, 248 answers from cache, 169 recursions, 0 prefetch, 0 rejected by ip ratelimiting
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: server stats for thread 0: requestlist max 74 avg 7 exceeded 0 jostled 0
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: average recursion processing time 1.338015 sec
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: histogram of recursion processing times
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: [25%]=0.0141722 median[50%]=0.32768 [75%]=1.98611
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info: lower(secs) upper(secs) recursions
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.000000    0.000001 17
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.002048    0.004096 1
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.004096    0.008192 6
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.008192    0.016384 25
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.016384    0.032768 21
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.032768    0.065536 6
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.065536    0.131072 3
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.131072    0.262144 3
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.262144    0.524288 10
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    0.524288    1.000000 17
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    1.000000    2.000000 18
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    2.000000    4.000000 26
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    4.000000    8.000000 12
mailcowdockerized-unbound-mailcow-1  | [1705561357] unbound[1:0] info:    8.000000   16.000000 4
mailcowdockerized-unbound-mailcow-1  | Setting console permissions...
mailcowdockerized-unbound-mailcow-1  | Receiving anchor key...
mailcowdockerized-unbound-mailcow-1  | Receiving root hints...
######################################################################## 100.0%
mailcowdockerized-unbound-mailcow-1  | setup in directory /etc/unbound
mailcowdockerized-unbound-mailcow-1  | removing artifacts
mailcowdockerized-unbound-mailcow-1  | Setup success. Certificates created. Enable in unbound.conf file to use
mailcowdockerized-unbound-mailcow-1  | [1705561388] unbound[1:0] notice: init module 0: validator
mailcowdockerized-unbound-mailcow-1  | [1705561388] unbound[1:0] notice: init module 1: iterator
mailcowdockerized-unbound-mailcow-1  | [1705561388] unbound[1:0] info: start of service (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705561388] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: service stopped (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: server stats for thread 0: 1607 queries, 1017 answers from cache, 590 recursions, 0 prefetch, 0 rejected by ip ratelimiting
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: server stats for thread 0: requestlist max 71 avg 8.43729 exceeded 0 jostled 0
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: average recursion processing time 0.573554 sec
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: histogram of recursion processing times
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: [25%]=0.012288 median[50%]=0.0306675 [75%]=0.148021
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info: lower(secs) upper(secs) recursions
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.000000    0.000001 35
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.002048    0.004096 6
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.004096    0.008192 61
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.008192    0.016384 91
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.016384    0.032768 117
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.032768    0.065536 83
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.065536    0.131072 42
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.131072    0.262144 58
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.262144    0.524288 65
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    0.524288    1.000000 10
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    1.000000    2.000000 11
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    2.000000    4.000000 2
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    4.000000    8.000000 1
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:    8.000000   16.000000 1
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:   16.000000   32.000000 4
mailcowdockerized-unbound-mailcow-1  | [1705562349] unbound[1:0] info:   32.000000   64.000000 3
mailcowdockerized-unbound-mailcow-1  | Setting console permissions...
mailcowdockerized-unbound-mailcow-1  | Receiving anchor key...
mailcowdockerized-unbound-mailcow-1  | Receiving root hints...
######################################################################## 100.0%
mailcowdockerized-unbound-mailcow-1  | setup in directory /etc/unbound
mailcowdockerized-unbound-mailcow-1  | removing artifacts
mailcowdockerized-unbound-mailcow-1  | Setup success. Certificates created. Enable in unbound.conf file to use
mailcowdockerized-unbound-mailcow-1  | [1705562381] unbound[1:0] notice: init module 0: validator
mailcowdockerized-unbound-mailcow-1  | [1705562381] unbound[1:0] notice: init module 1: iterator
mailcowdockerized-unbound-mailcow-1  | [1705562381] unbound[1:0] info: start of service (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705562382] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: service stopped (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: server stats for thread 0: 920 queries, 533 answers from cache, 387 recursions, 0 prefetch, 0 rejected by ip ratelimiting
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: server stats for thread 0: requestlist max 66 avg 6.85271 exceeded 0 jostled 0
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: average recursion processing time 13.688362 sec
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: histogram of recursion processing times
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: [25%]=0.00810218 median[50%]=0.0220487 [75%]=0.101717
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: lower(secs) upper(secs) recursions
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.000000    0.000001 39
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.002048    0.004096 2
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.004096    0.008192 57
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.008192    0.016384 63
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.016384    0.032768 94
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.032768    0.065536 22
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.065536    0.131072 24
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.131072    0.262144 19
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.262144    0.524288 17
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    0.524288    1.000000 16
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    1.000000    2.000000 13
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    2.000000    4.000000 11
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info:    4.000000    8.000000 6
mailcowdockerized-unbound-mailcow-1  | [1705564085] unbound[1:0] info: 1024.000000 2048.000000 4
mailcowdockerized-unbound-mailcow-1  | Setting console permissions...
mailcowdockerized-unbound-mailcow-1  | Receiving anchor key...
mailcowdockerized-unbound-mailcow-1  | Receiving root hints...
######################################################################## 100.0%
mailcowdockerized-unbound-mailcow-1  | setup in directory /etc/unbound
mailcowdockerized-unbound-mailcow-1  | removing artifacts
mailcowdockerized-unbound-mailcow-1  | Setup success. Certificates created. Enable in unbound.conf file to use
mailcowdockerized-unbound-mailcow-1  | [1705564086] unbound[1:0] notice: init module 0: validator
mailcowdockerized-unbound-mailcow-1  | [1705564086] unbound[1:0] notice: init module 1: iterator
mailcowdockerized-unbound-mailcow-1  | [1705564086] unbound[1:0] info: start of service (unbound 1.19.0).
mailcowdockerized-unbound-mailcow-1  | [1705564098] unbound[1:0] info: generate keytag query _ta-4f66. NULL IN

Steps to reproduce:

enter "docker ps" and see result of the unbound container

Which branch are you using?

master

Operating System:

Debian 12

Server/VM specifications:

8GB, 4 cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

24.0.7

docker-compose version or docker compose version:

v2.21.0

mailcow version:

2024-01

Reverse proxy:

no reverse proxy

Logs of git diff:

no changes

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 9704 3664K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
  465 23173 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set bad src
   22  1064 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries4 src
   52  2604 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries3 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set tor src
   31  1680 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries1 src
   28  1427 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries2 src
   36  1620 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set blocked src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set binaryedge src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set stretchoid src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set shodan src
   47  2673 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set ipsum src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mailcow src
    0     0 DROP       6    --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63588 ! match-set ssh src

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 195K   58M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
   13   716 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set bad src
   53 21157 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries4 src
  487 95736 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries3 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set tor src
 1078  154K DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries1 src
    4   208 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries2 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set blocked src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set binaryedge src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set stretchoid src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set shodan src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set ipsum src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mailcow src
    0     0 DROP       6    --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63588 ! match-set ssh src
 340K  294M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
 340K  294M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
 187K   58M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
13765  848K DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 139K  235M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
13147  813K ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    1    60 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    5   260 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.80          tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:3306
    3   192 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
  485 27604 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    6   336 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:8983
  112  6720 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    1    52 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    5   280 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.88          tcp dpt:443

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 139K  235M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 340K  294M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 139K  235M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set bad src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries4 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries3 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set tor src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries1 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set countries2 src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set blocked src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set binaryedge src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set stretchoid src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set shodan src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set ipsum src
    0     0 DROP       0    --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set mailcow src
    0     0 DROP       6    --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:63588 ! match-set ssh src
 340K  294M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  509  230K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set bad6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries4v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries3v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set tor6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries1v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries2v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set blocked6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set binaryedge6 src

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
21835   24M MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set bad6 src
   61 25276 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries4v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries3v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set tor6 src
  313  115K DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries1v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries2v6 src
   25  2000 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set blocked6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set binaryedge6 src
31201   27M DOCKER-USER  0    --  *      *       ::/0                 ::/0
31201   27M DOCKER-ISOLATION-STAGE-1  0    --  *      *       ::/0                 ::/0
    0     0 ACCEPT     0    --  *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     0    --  docker0 docker0  ::/0                 ::/0
21057   26M ACCEPT     0    --  *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 7688  529K DOCKER     0    --  *      br-mailcow  ::/0                 ::/0
 2456  251K ACCEPT     0    --  br-mailcow !br-mailcow  ::/0                 ::/0
 7683  528K ACCEPT     0    --  br-mailcow br-mailcow  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:443
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::9  tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::d  tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
    5   400 ACCEPT     6    --  !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  ::/0                 ::/0
 2456  251K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  ::/0                 ::/0
31201   27M RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  ::/0                 ::/0
    0     0 DROP       0    --  *      br-mailcow  ::/0                 ::/0
 2456  251K RETURN     0    --  *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set bad6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries4v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries3v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set tor6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries1v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set countries2v6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set blocked6 src
    0     0 DROP       0    --  eth0   *       ::/0                 ::/0                 match-set binaryedge6 src
31201   27M RETURN     0    --  *      *       ::/0                 ::/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1646 90656 DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
 5577  431K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.80          172.22.1.80          tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.8           172.22.1.8           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.9           172.22.1.9           tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       172.22.1.9           172.22.1.9           tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       172.22.1.11          172.22.1.11          tcp dpt:8983
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.88          172.22.1.88          tcp dpt:443

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
    1    60 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    1    60 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    5   260 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8520 to:172.22.1.80:80
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.8:3306
   11   672 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
  510 29048 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.22.1.9:443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
   96  6052 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.22.1.9:80
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.11:8983
  114  6840 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
    1    52 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
   18  1032 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:8443 to:172.22.1.88:443

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   49  3920 DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  0    --  *      !docker0  fd00:dead:beef:c0::/80  ::/0
 2043  187K MASQUERADE  0    --  *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::9  fd4d:6169:6c63:6f77::9  tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::9  fd4d:6169:6c63:6f77::9  tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::9  fd4d:6169:6c63:6f77::9  tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::9  fd4d:6169:6c63:6f77::9  tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::9  fd4d:6169:6c63:6f77::9  tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::d  fd4d:6169:6c63:6f77::d  tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:25

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     0    --  docker0 *       ::/0                 ::/0
   19  1520 RETURN     0    --  br-mailcow *       ::/0                 ::/0
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::9]:4190
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::9]:995
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::9]:993
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::9]:143
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:443 to:[fd4d:6169:6c63:6f77::d]:443
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::9]:110
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:80 to:[fd4d:6169:6c63:6f77::d]:80
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587
    0     0 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
   30  2400 DNAT       6    --  !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25

DNS check:

172.64.155.249
104.18.32.7

The text was updated successfully, but these errors were encountered:

DerLinkman · 2024-01-18T09:41:13Z

Hi!

Can you check inside the unbound container at /var/logs/healthcheck.log which check fails?

bundyland · 2024-01-18T09:49:16Z

Hi Niklas,

docker compose exec unbound-mailcow cat /var/log/healthcheck.log

results in:

2024-01-18 08:23:21: Healthcheck: ALL CHECKS WERE SUCCESSFUL! Unbound is healthy!

That's strange, because...

docker ps

results in:

70c346bc1bda mailcow/unbound:1.19 "/docker-entrypoint.…" 3 hours ago Up 2 hours (unhealthy) 53/tcp, 53/udp

Can I just ignore it?

Thank you!

DerLinkman · 2024-01-18T10:13:38Z

Ok i don't get this then :D

Normally if this message shows up docker should exit this script with 0 = everything is fine, 1 = something is broken.

As the script is generating this message it should exit with 0. Can you down and up again? And if it shows up unhealthy again visit the log file again?

bundyland · 2024-01-18T10:20:25Z

OK, done, but now I get...

✘ Container mailcowdockerized-unbound-mailcow-1 Error
dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy

and...

docker compose exec unbound-mailcow cat /var/log/healthcheck.log

results in:

cat: can't open '/var/log/healthcheck.log': No such file or directory

I will reboot the server so see if it comes up again.

Edit: even after a reboot unbound doesn't start anymore due to unhealthy container.
Is there any way to disable the healtch check to bring unbound up again?

Thanks!

psonntag1 · 2024-01-18T10:38:48Z

I have the same issue with an on-prem machine.

Unbound is unhealthy. The healthcheck does not show any errors. But docker inspect shows the following:

[
{
"Id": "62722fbe6c31653880a4a4c958277e0084f83cd619b4ce23eb536054f64f70ae",
"Created": "2024-01-17T20:18:28.799809604Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"/usr/sbin/unbound"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 1296784,
"ExitCode": 0,
"Error": "",
"StartedAt": "2024-01-17T20:18:30.585997031Z",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "unhealthy",
"FailingStreak": 7,
"Log": [
{
"Start": "2024-01-17T21:19:05.721098604+01:00",
"End": "2024-01-17T21:19:15.758026345+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.393/6.726/7.146 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 5.985/6.090/6.144 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.872/7.096/7.348 ms\n"
},
{
"Start": "2024-01-17T21:19:20.780886793+01:00",
"End": "2024-01-17T21:19:30.818817424+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.618/6.647/6.702 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 5.966/6.189/6.308 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.858/7.092/7.543 ms\n"
},
{
"Start": "2024-01-17T21:19:35.843486864+01:00",
"End": "2024-01-17T21:19:45.901540517+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.610/6.736/6.822 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 5.803/6.032/6.279 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.856/6.959/7.110 ms\n"
},
{
"Start": "2024-01-17T21:19:50.925010061+01:00",
"End": "2024-01-17T21:20:00.981419677+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.509/6.557/6.636 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 5.923/6.079/6.223 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.892/7.168/7.454 ms\n"
},
{
"Start": "2024-01-17T21:20:06.004118007+01:00",
"End": "2024-01-17T21:20:16.056490904+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.429/6.676/6.858 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 5.864/6.064/6.167 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 7.448/7.543/7.641 ms\n"
}

In my case the unhealthy unbound prevents other containers from starting. I mitigated the issue by reverting to unbound 1.18

bundyland · 2024-01-18T10:47:48Z

Here are also my results of docker inspect:

root@m:/opt/mailcow-dockerized # docker inspect ff3aaab746e2
[
{
"Id": "ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27",
"Created": "2024-01-18T10:36:46.990315443Z",
"Path": "/docker-entrypoint.sh",
"Args": [
"/usr/sbin/unbound"
],
"State": {
"Status": "running",
"Running": true,
"Paused": false,
"Restarting": false,
"OOMKilled": false,
"Dead": false,
"Pid": 25609,
"ExitCode": 0,
"Error": "",
"StartedAt": "2024-01-18T10:37:01.289982423Z",
"FinishedAt": "0001-01-01T00:00:00Z",
"Health": {
"Status": "unhealthy",
"FailingStreak": 20,
"Log": [
{
"Start": "2024-01-18T11:43:24.3108698+01:00",
"End": "2024-01-18T11:43:34.367859761+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n"
},
{
"Start": "2024-01-18T11:43:39.372827547+01:00",
"End": "2024-01-18T11:43:49.437758732+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n"
},
{
"Start": "2024-01-18T11:43:54.442715733+01:00",
"End": "2024-01-18T11:44:04.496623549+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n"
},
{
"Start": "2024-01-18T11:44:09.501698978+01:00",
"End": "2024-01-18T11:44:19.562379792+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n"
},
{
"Start": "2024-01-18T11:44:24.568289724+01:00",
"End": "2024-01-18T11:44:34.621425328+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (10s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n"
}
]
}
},
"Image": "sha256:b30e3cbad9d1d1d95b12d1404893fd4ad2b0f53b598a99f9e6465b759e216726",
"ResolvConfPath": "/var/lib/docker/containers/ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27/resolv.conf",
"HostnamePath": "/var/lib/docker/containers/ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27/hostname",
"HostsPath": "/var/lib/docker/containers/ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27/hosts",
"LogPath": "/var/lib/docker/containers/ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27/ff3aaab746e2322b589776319ceee64eed8630bb33db83624c41c1bcf038da27-json.log",
"Name": "/mailcowdockerized-unbound-mailcow-1",
"RestartCount": 0,
"Driver": "overlay2",
"Platform": "linux",
"MountLabel": "",
"ProcessLabel": "",
"AppArmorProfile": "docker-default",
"ExecIDs": [
"5b7d3af1cc0f37d00c8dcf1c83e4fe49d47bab56a310014737e08e875757700a"
],
"HostConfig": {
"Binds": [
"/opt/mailcow-dockerized/data/hooks/unbound:/hooks:rw,Z",
"/opt/mailcow-dockerized/data/conf/unbound/unbound.conf:/etc/unbound/unbound.conf:ro,Z"
],
"ContainerIDFile": "",
"LogConfig": {
"Type": "json-file",
"Config": {}
},
"NetworkMode": "mailcowdockerized_mailcow-network",
"PortBindings": {},
"RestartPolicy": {
"Name": "always",
"MaximumRetryCount": 0
},
"AutoRemove": false,
"VolumeDriver": "",
"VolumesFrom": null,
"ConsoleSize": [
0,
0
],
"CapAdd": null,
"CapDrop": null,
"CgroupnsMode": "private",
"Dns": null,
"DnsOptions": null,
"DnsSearch": null,
"ExtraHosts": [],
"GroupAdd": null,
"IpcMode": "private",
"Cgroup": "",
"Links": null,
"OomScoreAdj": 0,
"PidMode": "",
"Privileged": false,
"PublishAllPorts": false,
"ReadonlyRootfs": false,
"SecurityOpt": null,
"UTSMode": "",
"UsernsMode": "",
"ShmSize": 67108864,
"Runtime": "runc",
"Isolation": "",
"CpuShares": 0,
"Memory": 0,
"NanoCpus": 0,
"CgroupParent": "",
"BlkioWeight": 0,
"BlkioWeightDevice": null,
"BlkioDeviceReadBps": null,
"BlkioDeviceWriteBps": null,
"BlkioDeviceReadIOps": null,
"BlkioDeviceWriteIOps": null,
"CpuPeriod": 0,
"CpuQuota": 0,
"CpuRealtimePeriod": 0,
"CpuRealtimeRuntime": 0,
"CpusetCpus": "",
"CpusetMems": "",
"Devices": null,
"DeviceCgroupRules": null,
"DeviceRequests": null,
"MemoryReservation": 0,
"MemorySwap": 0,
"MemorySwappiness": null,
"OomKillDisable": null,
"PidsLimit": null,
"Ulimits": null,
"CpuCount": 0,
"CpuPercent": 0,
"IOMaximumIOps": 0,
"IOMaximumBandwidth": 0,
"MaskedPaths": [
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap"
],
"ReadonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
},
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/ee52ec16eb9c6a8543dcc025b50b5ab56d88c59e70369ff5880c5f81fa84d751-init/diff:/var/lib/docker/overlay2/06ca057b72b8c43e71d83ea6e9b0d7b31649d67bb81fc7f23508bad7d5a2660b/diff:/var/lib/doc,
"MergedDir": "/var/lib/docker/overlay2/ee52ec16eb9c6a8543dcc025b50b5ab56d88c59e70369ff5880c5f81fa84d751/merged",
"UpperDir": "/var/lib/docker/overlay2/ee52ec16eb9c6a8543dcc025b50b5ab56d88c59e70369ff5880c5f81fa84d751/diff",
"WorkDir": "/var/lib/docker/overlay2/ee52ec16eb9c6a8543dcc025b50b5ab56d88c59e70369ff5880c5f81fa84d751/work"
},
"Name": "overlay2"
},
"Mounts": [
{
"Type": "bind",
"Source": "/opt/mailcow-dockerized/data/hooks/unbound",
"Destination": "/hooks",
"Mode": "rw,Z",
"RW": true,
"Propagation": "rprivate"
},
{
"Type": "bind",
"Source": "/opt/mailcow-dockerized/data/conf/unbound/unbound.conf",
"Destination": "/etc/unbound/unbound.conf",
"Mode": "ro,Z",
"RW": false,
"Propagation": "rprivate"
}
],
"Config": {
"Hostname": "ff3aaab746e2",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": true,
"AttachStderr": true,
"ExposedPorts": {
"53/tcp": {},
"53/udp": {}
},
"Tty": true,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"TZ=Europe/Berlin",
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/usr/sbin/unbound"
],
"Healthcheck": {
"Test": [
"CMD",
"/healthcheck.sh"
],
"Interval": 5000000000,
"Timeout": 10000000000
},
"Image": "mailcow/unbound:1.19",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": [
"/docker-entrypoint.sh"
],
"OnBuild": null,
"Labels": {
"com.docker.compose.config-hash": "ed5a9989680f2d3fda3317ec6dcd45a5ee3a427b39da30db3758ec845b9e6fc9",
"com.docker.compose.container-number": "1",
"com.docker.compose.depends_on": "",
"com.docker.compose.image": "sha256:b30e3cbad9d1d1d95b12d1404893fd4ad2b0f53b598a99f9e6465b759e216726",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "mailcowdockerized",
"com.docker.compose.project.config_files": "/opt/mailcow-dockerized/docker-compose.yml",
"com.docker.compose.project.working_dir": "/opt/mailcow-dockerized",
"com.docker.compose.replace": "f25943fc59b7389310a0f888bb4ee8d4b8dd1c08e576a9d0fd27105c39f6f107",
"com.docker.compose.service": "unbound-mailcow",
"com.docker.compose.version": "2.21.0",
"maintainer": "The Infrastructure Company GmbH GmbH [email protected]"
}
},
"NetworkSettings": {
"Bridge": "",
"SandboxID": "7a3e1638bece3cee231dadd2efbc2bed31ccff0e68fb2c9eab331b257f54d656",
"HairpinMode": false,
"LinkLocalIPv6Address": "",
"LinkLocalIPv6PrefixLen": 0,
"Ports": {
"53/tcp": null,
"53/udp": null
},
"SandboxKey": "/var/run/docker/netns/7a3e1638bece",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "",
"Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "",
"IPPrefixLen": 0,
"IPv6Gateway": "",
"MacAddress": "",
"Networks": {
"mailcowdockerized_mailcow-network": {
"IPAMConfig": {
"IPv4Address": "172.22.1.254"
},
"Links": null,
"Aliases": [
"mailcowdockerized-unbound-mailcow-1",
"unbound-mailcow",
"unbound",
"ff3aaab746e2"
],
"NetworkID": "56c1f6e5473eb11b65bb3fbc4907f3fede3dd8c0a7f6ed0d13c4810d8d3d8968",
"EndpointID": "c932edd05715df5b549f53d6c42807c2e7699fb47275f73deddfa5b831ec7eb5",
"Gateway": "172.22.1.1",
"IPAddress": "172.22.1.254",
"IPPrefixLen": 24,
"IPv6Gateway": "fd4d:6169:6c63:6f77::1",
"GlobalIPv6Address": "fd4d:6169:6c63:6f77::4",
"GlobalIPv6PrefixLen": 64,
"MacAddress": "02:42:ac:16:01:fe",
"DriverOpts": null
}
}
}
}
]

DerLinkman · 2024-01-18T10:51:14Z

Ah yes that is very helpful! The healthcheck timeout value is to short. Docker is set to await a answer from the healthcheck within 10s. It seems to take longer on some machines. That is a easy fix and will be fixed within 2024-01a

DerLinkman · 2024-01-18T10:57:24Z

Fixed with 2024-01a (just released)

bundyland · 2024-01-18T11:09:14Z

Sorry Niklas, but the problem remains. At least for me.

After the fix I now get the following error:

2024-01-18 12:07:49: Please check your internet connection or firewall rules to fix this error, because a simple ping test should always go through from the unbound container!

That's strange! There is no firewall in place.

DerLinkman · 2024-01-18T11:10:18Z

It cannot ping 1.1.1.1, 8.8.8.8 and 9.9.9.9 that's all the first check does.

KarolKozlowski · 2024-01-18T12:35:31Z

Hi, I am also experiencing issue with the unbound health check, looks like it takes just over 30s in my case (however I'm on x86_64):

# time docker exec -it mailcowdockerized-unbound-mailcow-1 /healthcheck.sh
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.182/1.343/1.491 ms
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 20.747/20.952/21.108 ms
PING 9.9.9.9 (9.9.9.9): 56 data bytes

--- 9.9.9.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.045/1.104/1.155 ms
Connection to mailcow.email (185.199.108.153) 80 port [tcp/http] succeeded!
Connection to mailcow.email (185.199.110.153) 443 port [tcp/https] succeeded!
Connection to github.com (140.82.121.3) 80 port [tcp/http] succeeded!
Connection to github.com (140.82.121.4) 443 port [tcp/https] succeeded!
Connection to hub.docker.com (44.193.181.103) 80 port [tcp/http] succeeded!
Connection to hub.docker.com (44.219.3.189) 443 port [tcp/https] succeeded!

real    0m31.144s
user    0m0.028s
sys     0m0.044s

I created a compose override as a workaround which seemed to have worked:

version: '2.1'

services:
  unbound-mailcow:
    healthcheck:
      test: [ "CMD", "/healthcheck.sh" ]
      timeout: 1m

dw763j · 2024-01-18T12:52:05Z

I got the same problem, in my case, my server just cannot ping to 9.9.9.9, all packages are lost, so I delete it from data/Dockerfiles/unbound/healthcheck.sh, but it seems didn't change? it still tried to ping 9.9.9.9 for checking and I just got unhealthy error.

➜  mailcow-dockerized git:(master) ✗ time docker exec -it mailcowdockerized-unbound-mailcow-1 /healthcheck.sh
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.669/1.615/2.283 ms
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.967/0.992/1.028 ms
PING 9.9.9.9 (9.9.9.9): 56 data bytes

--- 9.9.9.9 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss
docker exec -it mailcowdockerized-unbound-mailcow-1 /healthcheck.sh  0.03s user 0.01s system 0% cpu 16.140 total

DerLinkman · 2024-01-18T12:58:40Z

If you delete the check you need to rebuild the container. Or you look why you cannot ping 9.9.9.9 though.

dw763j · 2024-01-18T13:00:49Z

If you delete the check you need to rebuild the container. Or you look why you cannot ping 9.9.9.9 though.

you mean docker compose down and re up again? I did, but seems not the "rebuild" you said, what should I do ?

DerLinkman · 2024-01-18T13:50:47Z

Rebuild is done by using docker build. But this is only a workaround around your problem you should definitely analyse.

dw763j · 2024-01-18T14:39:40Z

Rebuild is done by using docker build. But this is only a workaround around your problem you should definitely analyse.

thanks for your reply and all your contributions to the open source community, I have changed to another open source mail server and it worked.

Green2Matter · 2024-01-18T15:32:45Z

Changing health check timeout to even 1m doesn't help. Still I receive same error:
dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy...

KagurazakaNyaa · 2024-01-18T15:41:19Z

If your server is located in a region where you must use a proxy to access github.com (such as China), then increasing the health check timeout is useless. In this case, you can only turn off the health check.

Green2Matter · 2024-01-18T15:44:28Z

If your server is located in a region where you must use a proxy to access github.com (such as China), then increasing the health check timeout is useless. In this case, you can only turn off the health check.

Server is in EU, and everything been working until 2024 update...

DerLinkman · 2024-01-18T15:44:39Z

Changing health check timeout to even 1m doesn't help. Still I receive same error: dependency failed to start: container mailcowdockerized-unbound-mailcow-1 is unhealthy...

Could you check what the healthcheck logs say? (Located at /var/log/healthcheck.log) inside the container.

Use docker compose exec unbound-mailcow cat /var/log/healthcheck.log

DerLinkman · 2024-01-18T15:47:58Z

everything been working until 2024 update

Yes that maybe the case but then something is wrong with your system which has been hidden before. These healthchecks are simple network checks such as ping, netcat and dns resolving and if those don't work inside the main dns container it shouldn't be ignored.

If you are based in China for example like @KagurazakaNyaa says thats a whole different story and completely reasonable (actually i forgot to think about that)

Green2Matter · 2024-01-18T15:58:12Z

It seems like the issue on my side is I can't ping 1.1.1.1 but there's no problem with pinging other DNS (8.8.8.8)

mk@ubud:/mailcow# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=6.76 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=6.44 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=6.54 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=118 time=6.69 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=118 time=7.52 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=118 time=6.63 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=118 time=6.75 ms
--- 8.8.8.8 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6011ms
rtt min/avg/max/mdev = 6.437/6.761/7.520/0.327 ms
mk@ubu:/mailcow# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
72 packets transmitted, 0 received, 100% packet loss, time 72711ms

DerLinkman · 2024-01-18T16:01:25Z

Looks like it yes.

Maybe try to see why you can't ping 1.1.1.1

Green2Matter · 2024-01-18T16:05:52Z

Looks like it yes.

Maybe try to see why you can't ping 1.1.1.1

Has this been changed recently (2024) in unbound container? What address was used to ping before?

dw763j · 2024-01-18T16:08:49Z

Looks like it yes.
Maybe try to see why you can't ping 1.1.1.1

Has this been changed recently (2024) in unbound container? What address was used to ping before?

BTW, in my case, it cannot ping 9.9.9.9 in the origin server.

DerLinkman · 2024-01-18T16:11:36Z

Looks like it yes.
Maybe try to see why you can't ping 1.1.1.1

Has this been changed recently (2024) in unbound container? What address was used to ping before?

None. That is the "problem" you are facing. We've implemented this to make sure the container works as we want him to. So we strictly created first some simple DNS Tests but these were not failproof enough so we added ping and port checks too.

Green2Matter · 2024-01-18T16:21:00Z

None. That is the "problem" you are facing. We've implemented this to make sure the container works as we want him to. So we strictly created first some simple DNS Tests but these were not failproof enough so we added ping and port checks too.

My main problem is that I don't have any DNS blocking rules in firewall (opnsense), server can ping 8.8.8.8 and 9.9.9.9 but not 1.1.1.1

psonntag1 · 2024-01-18T18:28:14Z

I ran a test with unbound 1.19.1
The container still results in an unhealthy state because of the timeout error, but all checks are successful.

root@gaia:/opt/mailcow-dockerized# docker inspect 919ac36911e4

[..]
"Health": {
"Status": "unhealthy",
"FailingStreak": 4,
"Log": [
{
"Start": "2024-01-18T19:13:26.52239167+01:00",
"End": "2024-01-18T19:13:56.570633658+01:00",
"ExitCode": -1,
"Output": "Health check exceeded timeout (30s): PING 1.1.1.1 (1.1.1.1): 56 data bytes\n\n--- 1.1.1.1 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 6.332/6.435/6.596 ms\nPING 8.8.8.8 (8.8.8.8): 56 data bytes\n\n--- 8.8.8.8 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 7.508/7.808/7.968 ms\nPING 9.9.9.9 (9.9.9.9): 56 data bytes\n\n--- 9.9.9.9 ping statistics ---\n3 packets transmitted, 3 packets received, 0% packet loss\nround-trip min/avg/max = 8.487/8.554/8.607 ms\nConnection to mailcow.email (185.199.108.153) 80 port [tcp/http] succeeded!\nConnection to mailcow.email (185.199.108.153) 443 port [tcp/https] succeeded!\nConnection to github.com (140.82.121.3) 80 port [tcp/http] succeeded!\nConnection to github.com (140.82.121.3) 443 port [tcp/https] succeeded!\nConnection to hub.docker.com (44.219.3.189) 80 port [tcp/http] succeeded!\n" },
[..]

The healthcheck.log shows not error:

root@gaia:/opt/mailcow-dockerized# docker compose exec unbound-mailcow cat /var/log/healthcheck.log
2024-01-18 19:13:33: Healthcheck: DNS Resolver WORKING properly!

With manuel execution of the healthcheck script also no errors...

root@gaia:/opt/mailcow-dockerized# docker exec -it mailcowdockerized-unbound-mailcow-1 /healthcheck.sh
_PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 6.454/6.580/6.647 ms
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7.443/7.690/7.942 ms
PING 9.9.9.9 (9.9.9.9): 56 data bytes

--- 9.9.9.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 8.334/8.669/9.332 ms
Connection to mailcow.email (185.199.111.153) 80 port [tcp/http] succeeded!
Connection to mailcow.email (185.199.108.153) 443 port [tcp/https] succeeded!
Connection to github.com (140.82.121.4) 80 port [tcp/http] succeeded!
Connection to github.com (140.82.121.4) 443 port [tcp/https] succeeded!
Connection to hub.docker.com (3.224.227.198) 80 port [tcp/http] succeeded!
Connection to hub.docker.com (44.219.3.189) 443 port [tcp/https] succeeded!_

psonntag1 · 2024-01-18T18:53:25Z

Extending the timeout to 1m with a docker compose override file (as shown in the comment from @KarolKozlowski) works for me too.

KarolKozlowski · 2024-01-18T19:45:15Z

Maybe this helps someone. I managed to pinpoint the issue to DNS, my primary server was inaccessible from within the docker network. There are 2 solutions (for me):

override DNS server to an accessible one:

version: '2.1'

services:
  unbound-mailcow:
    dns:
     - "1.1.1.1"

Create SNAT rule to allow traffic (yeah, I have a pretty peculiar setup).

Health check run time is now down to 6 seconds:

# time docker exec -it mailcowdockerized-unbound-mailcow-1 /healthcheck.sh
PING 1.1.1.1 (1.1.1.1): 56 data bytes

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.344/1.541/1.900 ms
PING 8.8.8.8 (8.8.8.8): 56 data bytes

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 20.827/20.869/20.913 ms
PING 9.9.9.9 (9.9.9.9): 56 data bytes

--- 9.9.9.9 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.081/1.118/1.189 ms
Connection to mailcow.email (185.199.110.153) 80 port [tcp/http] succeeded!
Connection to mailcow.email (185.199.111.153) 443 port [tcp/https] succeeded!
Connection to github.com (140.82.121.4) 80 port [tcp/http] succeeded!
Connection to github.com (140.82.121.4) 443 port [tcp/https] succeeded!
Connection to hub.docker.com (44.219.3.189) 80 port [tcp/http] succeeded!
Connection to hub.docker.com (44.193.181.103) 443 port [tcp/https] succeeded!

real    0m6.852s
user    0m0.033s
sys     0m0.025s

DerLinkman · 2024-01-18T21:07:23Z

I had the idea to add a hidden variable which controls the check timeout like UNBOUND_HEALTHCHECK_THRESHOLD which can be modified according to the user needs. The default value would still be 30s.

What do you think about it?

Green2Matter · 2024-01-19T13:25:30Z

I had the idea to add a hidden variable which controls the check timeout like UNBOUND_HEALTHCHECK_THRESHOLD which can be modified according to the user needs. The default value would still be 30s.

What do you think about it?

Seems ok, is it possible to customize also DNS address for unbound container?
Following override somehow is not applied...

version: '2.1'

services:
unbound-mailcow:
dns:
- "9.9.9.9"

DerLinkman · 2024-01-19T13:36:12Z

Unbound itself resolves the DNS queries so you can't change that per se. However though maybe take a look at this doc article regarding unbound DNS Resolving ports in the firewall: https://docs.mailcow.email/getstarted/prerequisite-system/#important-for-hetzner-firewalls

Green2Matter · 2024-01-19T13:50:01Z

Unbound itself resolves the DNS queries so you can't change that per se. However though maybe take a look at this doc article regarding unbound DNS Resolving ports in the firewall: https://docs.mailcow.email/getstarted/prerequisite-system/#important-for-hetzner-firewalls

Thanks but it doesn't help in my case. I restored mailcow from 2023 and for a time being, I will stop doing updates...

KarolKozlowski · 2024-01-19T13:54:09Z

I had the idea to add a hidden variable which controls the check timeout like UNBOUND_HEALTHCHECK_THRESHOLD which can be modified according to the user needs. The default value would still be 30s.

What do you think about it?

This functionality can be achieved by compose overrides, so in my opinion it is redundant (might require documenting it though).

I think it would benefit everyone if we knew what is causing the check to fail. In my case all checks were successful, but took too long to respond. The delay was caused by long DNS queries (fail-over to secondary server) which technically should not impair the functionality of the service, but is rather an anomaly that should be investigated. What do you think?

DerLinkman · 2024-01-19T13:57:40Z

If the healthcheck took to long you have to adjust it manually or analyse your system why it does this in general. A standardized mailcow installation can easily complete the healthcheck within less then 10s.

I do agree with the redundant thing and how to document it.

zenz · 2024-01-21T12:03:26Z

If the healthcheck took to long you have to adjust it manually or analyse your system why it does this in general. A standardized mailcow installation can easily complete the healthcheck within less then 10s.

I do agree with the redundant thing and how to document it.

Increase timeout or change DNS doesn't work in China. since the GFW blocks github.com and sometime even hub.docker.com, so allow user to ignore this checking is the only solution.

hobbsAU · 2024-01-21T15:59:32Z

I'm on a Hetzner VM with the same issue.

Switching "dns-nameservers" in network interface config under Debian to IPv4 fixed the problem..

https://docs.hetzner.com/cloud/servers/static-configuration/

Green2Matter · 2024-01-28T00:04:01Z

What is full set of unbound checks? I managed to establish connection to required DNS:

PING 1.1.1.1 (1.1.1.1): 56 data bytes --- 1.1.1.1 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 7.828/7.939/8.003 ms PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 6.547/6.679/6.815 ms PING 9.9.9.9 (9.9.9.9): 56 data bytes --- 9.9.9.9 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 31.858/31.961/32.105 ms nc: getaddrinfo for host "mailcow.email" port 80: Try again

But I don't understand the last test failure; all commands are issued in unbound container:

4143512df6db:/# nc -vz mailcow.email 80
nc: getaddrinfo for host "mailcow.email" port 80: Try again

when dig command produces result:

4143512df6db:/# dig +short mailcow.email @unbound
185.199.108.153
185.199.111.153
185.199.109.153
185.199.110.153

Why it needs to check connectivity to mailcow.email host at port 80?

pozzo-balbi · 2024-02-04T14:37:31Z

Hi, looks to me that docker-compose.yml has as prerequisit "condition: service_healthy" for unbound and that condition is not met at startup of docker-compose and hence the error. See https://community.mailcow.email/d/2977-container-unbound-unhealthy/18 I'm no docker expert, so I just changed it to service_started for myself.

greenmoss · 2024-03-02T19:31:22Z

TL;DR: also verify ping from your mailcow host, OUTSIDE the Docker containers.

I was having this problem, and found my firewall was blocking 1.1.1.1. Presumably the blocker rule was in one of the dynamic block lists, for example anti-spam, etc. I permitted ping from my mailcow host to 1.1.1.1 and then the unbound check passed immediately.

ashcorpaddams · 2024-03-03T09:30:49Z

Hello All,

I had the same issue and fixed by adding outbound ruled to my firewall:

ALLOW MAILCOW-UNBOUND TO PING > ICMP
ALLOW MAILCOW-UNBOUND TO DIG TCP > TCP 53
ALLOW MAILCOW-UNBOUND TO DIG UDP > UDP 53

Note I am using Hetzner to host my docker.

Hope this helps

B-Interactive · 2024-03-27T23:07:00Z

I know I'm re-treading some ground here, but I offer this for the benefit of others coming here for answers.

For me, the unbound-mailcow container fails to ping 8.8.8.8 (Google), but is able to ping 1.1.1.1 (Cloudflare) and 9.9.9.9 (Quad9) just fine. I've yet to determine the cause of this. My setup and firewall is not complicated, with nothing outbound blocked.

The healthcheck.sh requires all three to pass to achieve "healthy".

For now, to achieve a working state, I've had to resort to skipping the health check entirely (as per #5652), even though 2 of 3 ping tests are successful.

mailcow.conf (line 256)
SKIP_UNBOUND_HEALTHCHECK=y

JPaulMora · 2024-10-23T06:49:13Z

I have just upgraded to the latest mailcow version, disabling unbound has fixed my send/receive email issues.

Trackhe · 2024-12-25T00:02:53Z

iptables -t nat -A POSTROUTING -s 172.22.1.0/24 -o eth0 -j MASQUERADE
fixes the problem at my hetzner cloud container but the update.sh script overwrites it so there needs to be some adjustment btw its not only on arm

bundyland added the bug label Jan 18, 2024

DerLinkman closed this as completed Jan 18, 2024

DerLinkman mentioned this issue Jan 18, 2024

Update 2024 - mailcowdockerized-unbound-mailcow-1 is unhealthy #5651

Closed

5 tasks

KagurazakaNyaa mentioned this issue Jan 18, 2024

Allow user skip unbound healthcheck #5652

Merged

B-Interactive mentioned this issue Mar 27, 2024

Accepted redundancy in unbound healthcheck.sh #5808

Closed

ARM64: unbound 1.19 up but unhealthy #5649

ARM64: unbound 1.19 up but unhealthy #5649

Comments

bundyland commented Jan 18, 2024

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

DerLinkman commented Jan 18, 2024

bundyland commented Jan 18, 2024 • edited Loading

DerLinkman commented Jan 18, 2024

bundyland commented Jan 18, 2024 • edited Loading

psonntag1 commented Jan 18, 2024

bundyland commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

bundyland commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

KarolKozlowski commented Jan 18, 2024

dw763j commented Jan 18, 2024 • edited Loading

DerLinkman commented Jan 18, 2024

dw763j commented Jan 18, 2024 • edited Loading

DerLinkman commented Jan 18, 2024

dw763j commented Jan 18, 2024

Green2Matter commented Jan 18, 2024

KagurazakaNyaa commented Jan 18, 2024

Green2Matter commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

Green2Matter commented Jan 18, 2024 • edited Loading

DerLinkman commented Jan 18, 2024

Green2Matter commented Jan 18, 2024

dw763j commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

Green2Matter commented Jan 18, 2024

psonntag1 commented Jan 18, 2024

psonntag1 commented Jan 18, 2024

KarolKozlowski commented Jan 18, 2024

DerLinkman commented Jan 18, 2024

Green2Matter commented Jan 19, 2024

DerLinkman commented Jan 19, 2024

Green2Matter commented Jan 19, 2024

KarolKozlowski commented Jan 19, 2024

DerLinkman commented Jan 19, 2024

zenz commented Jan 21, 2024

hobbsAU commented Jan 21, 2024

Green2Matter commented Jan 28, 2024

pozzo-balbi commented Feb 4, 2024

greenmoss commented Mar 2, 2024 • edited Loading

ashcorpaddams commented Mar 3, 2024

B-Interactive commented Mar 27, 2024

JPaulMora commented Oct 23, 2024

Trackhe commented Dec 25, 2024

bundyland commented Jan 18, 2024 •

edited

Loading

bundyland commented Jan 18, 2024 •

edited

Loading

dw763j commented Jan 18, 2024 •

edited

Loading

dw763j commented Jan 18, 2024 •

edited

Loading

Green2Matter commented Jan 18, 2024 •

edited

Loading

greenmoss commented Mar 2, 2024 •

edited

Loading