Support storage back ends that do not support extended file attributes

[bluen]

When using a storage back end in docker that does not support extended file attributes, the go-dnsmasq resolver is not able to bind to port 53 (or any other port < 1024).

Basically the line https://github.com/smebberson/docker-alpine/blob/master/alpine-base/Dockerfile#L18 has no effect when such a storage back end (aufs, btrfs - see moby/moby#30557) is used, so DNS fails in the container.

I suggest a simple workaround in https://github.com/smebberson/docker-alpine/blob/master/alpine-base/root/etc/services.d/resolver/run like this:

#!/usr/bin/with-contenv sh

RUNAS="go-dnsmasq"

setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
status=$?

if [ !$status ];
then
    RUNAS="root"
fi

s6-setuidgid ${RUNAS} go-dnsmasq --default-resolver --ndots "1" --fwd-ndots "0" --hostsfile=/etc/hosts >> $GO_DNSMASQ_LOG_FILE 2>&1

This makes go-dnsmasq run as root (instead of the go-dnsmasq user) if the capability is not set on the binary (which is the case when using a back end that does not support extended file attributes.

[bluen]

Here's some information observed on Debian jessie with docker 1.13.1 using storage back end aufs:

# setcap -v CAP_NET_BIND_SERVICE=+eip /bin/go-dnsmasq
/bin/go-dnsmasq differs in [pie]

/var/log/go-dnsmasq/go-dnsmasq.log in the container:

time="2017-03-16T13:15:28Z" level=info msg="Starting go-dnsmasq server 1.0.7" 
time="2017-03-16T13:15:28Z" level=info msg="Nameservers: [8.8.8.8:53 8.8.4.4:53]" 
time="2017-03-16T13:15:28Z" level=info msg="Setting host nameserver to 127.0.0.1" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on tcp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=info msg="Ready for queries on udp://127.0.0.1:53" 
time="2017-03-16T13:15:28Z" level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"

[smebberson]

@bluen, I've experienced this myself and came up with the same solution. Just going through some maintenance releases and will release this shortly with an upgrade to Alpine 3.5.

[sramazzina]

Hi @smebberson. Any news on this issue of level=fatal msg="listen udp 127.0.0.1:53: bind: permission denied"? I'm using your container and experiencing same issue. When you are planning to release the fixes you're talking about?

[smebberson]

@bluen, what are your thoughts on https://github.com/smebberson/docker-alpine/commits/abh-master

It takes a different approach to resolve the setcap issue. Less smart, but simpler than your version. Any thoughts?