coredns Crashloopbackoff Listen: listen tcp :53: bind: permission denied

[ganecheng]

rancher/mirrored-coredns-coredns:1.12.0
Listen: listen tcp :53: bind: permission denied

Environmental Info:
K3s Version:

k3s -v
k3s version v1.31.5+k3s1 (56ec5dd4)
go version go1.22.10

Node(s) CPU architecture, OS, and Version:

uname -a
Linux kvm-001 6.6.0-28.0.0.34.oe2403.x86_64 #1 SMP Mon May 27 22:22:46 CST 2024 x86_64 x86_64 x86_64 GNU/Linux

Cluster Configuration:
3 servers, 3 agents

Describe the bug:

k3s install success, but coredns deploy failed.

maxprocs: Leaving GOMAXPROCS=2: CPU quota undefined
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.override
[WARNING] No files matching import glob pattern: /etc/coredns/custom/*.server
Listen: listen tcp :53: bind: permission denied

please fix it. it's ok on k3s v1.30.4-k3s1

[brandond]

I can't reproduce this. What sort of environment is this in? What linux distribution are you using? Is selinux enabled on your nodes, and if so, have you installed the correct selinux packages and enabled selinux in the k3s config?

[ganecheng]

I find 2 ways to solve it

1. set privileged to true

          securityContext:
            privileged: true

2. run as root

          securityContext:
            runAsUser: 0

so, how can I config container coredns yaml set privileged to true or run as root when I install k3s.

[ganecheng]

install k3s airgap on kvm virtual machine, linux distribution is openEuler, selinux is disabled.

# cat /etc/os-release 
NAME="openEuler"
VERSION="24.03 (LTS)"
ID="openEuler"
VERSION_ID="24.03"
PRETTY_NAME="openEuler 24.03 (LTS)"
ANSI_COLOR="0;31"

# sestatus
SELinux status:                 disabled

[brandond]

The coredns deployment grants the container NET_BIND_SERVICE capability which allows it to bind to privileged ports. Had you previously modified the coredns deployment yaml to remove this capability?

k3s/manifests/coredns.yaml

Lines 151 to 153 in 6100f5c

	capabilities:
	add:
	- NET_BIND_SERVICE

[ganecheng]

I does not modified the coredns deployment yaml. It doesn't work on my os environment.

If you have time, repeat as follows:

install OS
https://repo.openeuler.org/openEuler-24.03-LTS/ISO/x86_64/openEuler-24.03-LTS-x86_64-dvd.iso

install Docker

yum -y install docker-engine

install k3s v1.31.5+k3s1 airgap with docker engine
https://docs.k3s.io/installation/airgap

install k3s v1.30.4-k3s1 airgap with docker engine, and compare their differences of coredns

[brandond]

The pod has sufficient privilege to listen on that port. You'll need to figure out what other security module on your node is blocking it.

[brandond]

Ahh, I see that you're using Docker. That is probably relevant , but you'd not mentioned that until now. Can you use containerd instead?

• Upstream issue: Listen tcp :53: bind: permission denied ERROR!! kubernetes/kubernetes#125226 (comment)

K3s does not manage the runtime configuration if you're using Docker, so you'll need to modify the containerd config (for the containerd that comes with docker) on your own.

Preferably you'd just use the containerd that comes with k3s though.

[ganecheng]

OK，let me try