mifronte

Members
  • Posts

    423
  • Joined

  • Last visited

Everything posted by mifronte

  1. I decided to create rules on my router to intercept all DNS queries and redirect to my router's DNS resolver. This solves the problem that Docker is not using the correct DNS for its interface since the query will be intercepted and redirected. Another side benefit is that the Google devices with hardcoded Google DNS are now being intercepted too and forced to go through my DNS resolver.
  2. Are you not running a local DNS or do you allow DNS queries to traverse across your VLANs?
  3. @bonienl By any chance are you encountering that segregated Docker containers on VLAN interfaces are using the incorrect DNS server? Instead of the VLAN interface's (i.e. br0.30) DNS server, it is using the unRAID's primary interface (i.e. br0) DNS server. This breaks DNS for the containers on br0.30 since the br0's DNS is not reachable from the VLAN. I placed my Docker container in a VLAN as specified in the first post and Docker is trying to use the primary's interface DNS server. So here is my setup: eth0: 10.10.1.0/24 with DNS 10.10.1.1 VLAN 30 : 10.10.2.0/24 with DNS 10.10.2.1 However, Docker containers on br0.30 are configured with DNS 10.10.1.1 and not DNS 10.10.2.1. I have to use the --dns option to supply the correct DNS.
  4. @SiNtEnElThat is exactly my problem! Docker is not setting the Google DNS because it does find a DNS in the host's /ect/resolv.conf. Unfortunately the DNS that Docker finds is in the wrong network! Besides, I would not want Docker to set Google to be my DNS and bypass my domain name blocking (DNSBL on my pfSense). It looks like both you and @ken-ji may not have used the unRAID GUI to setup your VLAN network for Docker.
  5. @ken-ji Thanks for the link. I will have to digest the information and see what tweaks I need to do to apply it to my situation. I really can't have unRAID being available in a network with opened ports on the firewall. Will I have to edit the /etc/rc.d/rc.docker and manually recreate the docker network on the VLAN every time my unRAID server reboot?
  6. OK, I ran this command docker run busybox nslookup smtp.mail.yahoo.com and it confirms that my container running on a VLAN interface is configured with unRAID's DNS server. This is fine if the container is running in Host mode, but if the container is running in a VLAN bridge mode (which is a different network from unRAID's primary interface) then the DNS server is unreachable. By supplying the --dns option, the built-in Docker DNS will use the supplied DNS when the built-in DNS is unable to resolve a FQDN. This means Docker always try the default DNS and then fallback to the DNS supplied with the --dns option. Supposedly I can set the list of DNS for the Docker daemon to use in /etc/docker/daemon.json. I will have to try and test this. Update: I tried adding a daemon.json file with the appropriate dns list, but the Docker service would not start. Removing the file allowed the Docker service to start again. Also running the command docker run busybox nslookup smtp.mail.yahoo.com creates a questionable docker container that looks like spam or something.
  7. That is exactly the content of my docker container's /etc.resolv.conf too. Is there a command to see the IP of the DNS that the container is using? Surely I passed in the IP with the --dns option, that must be stored somewhere inside the container. I want to verify that by default, Docker is picking up the DNS in unRAID's /etc/conf and not the appropriate DNS for the subnet of the VLAN.
  8. @ken-ji Only the cat command worked, but the resolv.conf file inside the docker container is the same regardless if I supply the --dns option or not. I suspect that when spinning up a container, Docker will by default check for a DNS server defined in /etc/resolv.conf in the host OS, and if it doesn't find one, or finds only 127.0.0.1, will opt to use Google's public DNS server 8.8.8.8. So the host OS is unRAID and the DNS server defined in unRAID's /etc/resolv.conf is the DNS server for unRAID's primary interface. I even logged into unRAID on the VLAN interface, and the /ect/resolv.conf shows the DNS of the primary interface and not of the VLAN. So this may mean the Docker container on the VLAN interface is using an unreachable DNS server defined in the unRAID host. Somehow unRAID must pass the VLAN's DNS server to Docker if the container is using the VLAN interface.
  9. I would like to view the network configuration within the docker container. I logged into the container with docker exec -it unifi /bin/bash and tried ifconfig but it says command not found. What are the commands that I would use to see the network settings from within the docker container? I am just curious what is the default DNS without the --dns option.
  10. @theiam79I decided to keep the two NIC bonded and setup the LAG as a VLAN trunk on my Cisco SG350 switch. Then in unRAID in Network Settings, I defined a VLAN interface that obtains its IP from my DHCP for that VLAN. I then configured my UniFi docker container to use the appropriate bridge for the VLAN (i.e. br0.30) with a static IP within the VLAN. With the exception of DNS not being properly passed through to the docker container, everything is working great once I configured the docker container with the --dns option to compensate for the DNS problem. Now my UniFi docker container is in its own VLAN and all my APs are connected. The only issue I have is that unRAID is also accessible on the VLAN interface. This defeats my goal of segregating the UniFi controller and my unRAID server being in the same network since I have ports opened on my firewall so that remote APs can connect to the UniFi Controller, but I don't want my unRAID to be in the same network where ports are opened on the firewall.
  11. @SiNtEnEl If I understand you correctly, your UniFi docker container is configured as something like br0.VLANID for network mode and you configured a VLAN interface on your unRAID server in Network settings. Did you assign a separate static IP or configured the Docker DHCP for your container? I am trying to see if I configured something incorrectly where my Docker container has no DNS or is using the primary DNS on the man unRAID interface, which is not reachable from the VLAN (i.e using 192.168.1.1 which the main unRAID is using, but the VLAN is configured for 192.168.30.0/24). BTW, your APs and UniFi Controller do not need to be in the same network. You just need to ssh into the AP and perform a set-inform to point it to the controller just as long as there is a valid network route. I have APs coming in from the Internet to my UniFi controller.
  12. It would be great to be able to specify if the unRAID server should be accessible for each VLAN interface. I don't really know what this entails, but I have faith.
  13. This issue is not with the AP's being in VLANs, but running the UniFi Docker container on unRAID in its own VLAN interface. It appears that I get no DNS configuration for the docker container that uses the unRAID VLAN interface. If I run the UniFi docker in Host mode, then it gets the DNS from the primary unRAID host. The DNS is handed out by my DHCP server and so when unRAID gets an IP form the DHCP server for the VLAN interface, it would also get the DNS configuration. However, there is no DNS field in the Network Settings for VLAN like there is for Default Gateway. This leads me to suspect that unRAID is not passing on the correct DNS to the Docker Engine?
  14. @Gog I followed similar intstructions found here to import my self-signed SSL certificate and it worked! I did not run the script, but just followed a couple of commands from the script that is similar to your instructions. It looked like it is best if you are self-signed, then you can use your server.key, server.crt, and internal-CA.crt to generate the pkcs12 certificate. At first I tried the "java -jar lib/ace.jar import_cert" method with my concatenated crt and key in a pem file, but I ended up getting a SSL error of invalid response (ERR_SSL_PROTOCOL_ERROR) although the import was successful. It turned out the UniFi Controller is very picky and you may have to go through the entire ugly keytool commands.
  15. Adding the --dns to my run config solved the problem. Without the --dns option, I get host unknown host errors. So I still believe that either unRAID is not setting the DNS for VLANS, or it is setting the DNS of the primary interface. Which for VLANS that are not using the same network, the primary DNS is not reachable since it is in a different subnet.
  16. But I don't think it is prevented from the network. If someone hacks into the docker container (i.e. docker exec -it unifi bash) as if it is a host on the network, they can try and hack into unRAID through the VLAN interface. Because when I run: docker exec -it unifi bash I get into the docker container as if it is a host on the network. Wouldn't unRAID be accessbile via the network?
  17. I am not too concerned with the docker containers themselves, but who is coming into the open ports required by the containers. Since my UniFi docker container requires ports to be opened on my firewall, I do not want my unRAID server to be in the same network where I have opened ports, even if the ports are mapped to the docker container. I just don't want my unRAID to be accessible on the VLAN interface too because I would like to put any services that requires ports to be opened on my firewall into their own network with no access to my private network including my unRAID server. Update: Let's assume somehow a docker container with its own IP is compromised. Since the unRAID server on the VLAN interface is in the same network as the docker container, how can I protect it with firewall rules? Since the two are in the same network, traffic between the two does not hit the firewall router.
  18. Anyone running this docker app in its own VLAN with a static assigned IP? I just installed this UniFi docker app in its own VLAN with a static assigned IP. Everything works with the exception that this UniFi docker app is unable to resolve FQDN hosts. For example, the Mail Server configuration cannot send SMTP mails if I use a FQDN for the SMTP server. However, if I use an IP address, then it can send mail. The log says unknown host for the FQDN. Also the Cloud Access cannot be enabled because it is using FQDN to get to the Ubiquiti Cloud Services. I have a feeling that DNS is not properly being set up for the container in the VLAN configuration. I just don't know if this is an unRAID or container issue. @Gog I will have to try your suggestion to get my self-signed cert into the UniF docker. Is the "\" part of the command? Update: The DNS issue with resolving FQDN in the container is related to Docker using the same DNS across all interfaces. This would be a problem if you are using a local DNS and have Docker running in a VLAN configured with the unRAID GUI. Docker will use the DNS of the host which is on a different interface as the VLAN and thereby not reachable by the container. For now, I just supplied the --dns option to the container with the correct local DNS for the VLAN interface that Docker is using.
  19. I went ahead and created a VLAN (30) for my UniFi docker. The VLAN is on a separate network from my main LAN. The only issue I have with this setup is that the unRAID server gets an address is accessible from the VLAN too! I was hoping by putting the docker apps in a VLAN on a separate network, the docker apps would be segregated from my unRAID server. Is there anyway to prevent unRAID from being in the VLAN network too?
  20. I setup a VLAN (30) to be used for my UniFi docker container. The UniFi (by linuxserver.io) docker appears to be running with the exception that the docker app is not able to resolve hosts using fqdn. For example, inside the UniFi app, you can configure it to send an SMTP alert (like with unRAID). However, if I used the fqdn for the SMTP server (i.e. smtp.mail.yahoo.com), I get an unknown smtp host error. If I use the IP address of the SMTP server (98.138.105.21) then the test smtp alert email gets sent with no problem. Looking on the Network settings, I see a DNS for the main eth0 interface, but none for VLAN portion. I have setup my VLAN to be a separate network, and a PC hooked into the VLAN works fine. However, it appears the docker container is not using my local DNS or any DNS? Update: I did not know if this belongs in the Docker Engine or the General Support thread. I think since it is a general unRAID Network setting issue, I chose the general support thread.
  21. That's correct. Since I use pfSense, I use the pfSense Cert Manager to maintain my own internal certificates. This way all my internal https do not get the browser warning. For example, with unRAID 6.4, I created a self-signed certificate that the browser does not complain since I am my own certificate authority (CA) and have configured my desktops to trust my internal CA.
  22. Thanks bonienl. You kind of indirectly answered my question. I was hoping to use my main DHCP service and not have to run a separate DHCP service for Docker. I guess I will just statically assign the IP.
  23. I am thinking about switching from pducharme's UniFi container to linuxserver.io's container. Going over the linuxserver.io's webpage, it specified a PGID and PUID. Just what should be this value? My current UniFi container does not require the PGID or PUID and looks like it runs as root. Should I use the PGID and PUID for root or should I create an ID for the Docker UniFi container?
  24. I started the ssh into the controller question because I wanted to try installing my own self-signed SSL certificate. To clarify, since the UniFi controller is running in its own Docker container with its own IP address, it is kind of like a virtual host server. So I would like to ssh into that UniFi controller docker container as if the controller was running on its own physical server. I don't know too much about the underpinnings of Docker, but if I can get into the UniFi controller host, to try these steps: Installing SSL Certificate on UniFi Controller