Postinstall breaks DNS

,

My YunoHost server

Hardware: VPS bought online
YunoHost version: 4.0.8.2
I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hello,

I am trying to install YunoHost on a new VPS, and I can’t get past the postinstall step, as my DNS configuration breaks.

The server was pre-configured with Debian 9 (stretch) and I updated it to 10 (buster), with a sed -i 's/stretch/buster/g' /etc/apt/sources.list followed by apt update && apt upgrade && apt dist-upgrade && reboot.

I tried to run the installer:

curl https://install.yunohost.org | bash

I got told that I needed to uninstall bind9 because it conflicted with YunoHost’s dnsmasq. I did apt purge bind9.
On second try I was told I also needed to remove apache2. I did apt purge apache2.
Third time the installer ran successfully.

After that I ran yunohost tools postinstall. Somewhere during this step my DNS configuration broke.

This is the output of postinstall:

# yunohost tools postinstall
Main domain: (my domain name here)
You are now about to define a new administration password. The password should be at least 8 characters long—though it is good practice to use a longer password (i.e. a passphrase) and/or to use a variation of characters (uppercase, lowercase, digits and special characters).
New administration password: 
Confirm new administration password: 
Info: Installing YunoHost...
Info: The configuration file '/etc/nsswitch.conf' is now managed by YunoHost (category nsswitch).
Success! Configuration updated for 'nsswitch'
Info: The configuration file '/etc/nslcd.conf' is now managed by YunoHost (category nslcd).
Success! Configuration updated for 'nslcd'
Success! LDAP initialized
Success! Configuration updated for 'ssl'
Success! Local certification authority created.
Success! Self-signed certificate now installed for the domain '(my domain name here)'
Success! Domain created
Success! The main domain has been changed
Info: Your root password have been replaced by your admin password.
Success! The administration password was changed
Warning: Some firewall rule commands have failed. More info in log.
Success! App catalog system initialized!
Info: Updating application catalog…
Warning: Unable to download the default app catalog: Invalid URL https://app.yunohost.org/default/v2/apps.json (does this site exists?)
Success! The service 'yunohost-firewall' will now be automatically started during system boots.
Success! Service 'yunohost-firewall' started
Success! Configuration updated for 'ssh'
Info: The configuration file '/etc/metronome/metronome.cfg.lua' is now managed by YunoHost (category metronome).
Success! Configuration updated for 'metronome'
Info: The configuration file '/etc/postfix/master.cf' is now managed by YunoHost (category postfix).
Info: The configuration file '/etc/postfix/main.cf' is now managed by YunoHost (category postfix).
Info: The configuration file '/etc/default/postsrsd' is now managed by YunoHost (category postfix).
Success! Configuration updated for 'postfix'
Success! Configuration updated for 'yunohost'
Success! Configuration updated for 'rspamd'
Success! Configuration updated for 'apt'
Success! Configuration updated for 'nginx'
Info: The configuration file '/etc/default/dnsmasq' is now managed by YunoHost (category dnsmasq).
Info: The configuration file '/etc/dnsmasq.conf' is now managed by YunoHost (category dnsmasq).
Success! Configuration updated for 'dnsmasq'
Info: The configuration file '/etc/fail2ban/jail.conf' is now managed by YunoHost (category fail2ban).
Success! Configuration updated for 'fail2ban'
Info: The configuration file '/etc/mysql/my.cnf' is now managed by YunoHost (category mysql).
Success! Configuration updated for 'mysql'
Info: The configuration file '/etc/avahi/avahi-daemon.conf' is now managed by YunoHost (category avahi-daemon).
Success! Configuration updated for 'avahi-daemon'
Info: The configuration file '/etc/dovecot/dovecot.conf' is now managed by YunoHost (category dovecot).
Success! Configuration updated for 'dovecot'
Success! Configuration updated for 'slapd'
Success! YunoHost is now configured
Warning: The post-install completed! To finalize your setup, please consider:
    - adding a first user through the 'Users' section of the webadmin (or 'yunohost user create <username>' in command-line);
    - diagnose potential issues through the 'Diagnosis' section of the webadmin (or 'yunohost diagnosis run' in command-line);
    - reading the 'Finalizing your setup' and 'Getting to know Yunohost' parts in the admin documentation: https://yunohost.org/admindoc.

The first 2 things that don’t look good in the first part of the output:

Warning: Some firewall rule commands have failed. More info in log.
Warning: Unable to download the default app catalog: Invalid URL https://app.yunohost.org/default/v2/apps.json (does this site exists?)

I know for sure that DNS breaks exactly during the postinstall phase because:

Before:

# nslookup yunohost.org
Server:		62.129.252.252
Address:	62.129.252.252#53

Non-authoritative answer:
Name:	yunohost.org
Address: 80.67.172.144
Name:	yunohost.org
Address: 2001:910:1410::1

After:

# nslookup yunohost.org
;; connection timed out; no servers could be reached

At the same time, ping -c 1 80.67.172.144 still works as expected.

This is the only error in the logs:

# grep ERROR /var/log/yunohost/yunohost-cli.log 
2020-11-30 14:00:36,213 ERROR    yunohost.firewall firewall_upnp - [3405.1] No UPnP device found

With more context:

2020-11-30 14:00:24,195 DEBUG    yunohost.firewall firewall_upnp - [3405.1] discovering UPnP devices...
2020-11-30 14:00:36,213 DEBUG    yunohost.firewall firewall_upnp - [3405.1] found 0 UPnP device(s)
2020-11-30 14:00:36,213 ERROR    yunohost.firewall firewall_upnp - [3405.1] No UPnP device found
2020-11-30 14:00:36,328 WARNING  yunohost.firewall firewall_disallow - [3405.1] Port 1900 is already closed for IPv4 connections
2020-11-30 14:00:36,329 WARNING  yunohost.firewall firewall_disallow - [3405.1] Port 1900 is already closed for IPv6 connections
2020-11-30 14:00:41,247 DEBUG    yunohost.firewall _on_rule_command_error - [3405.1] "iptables -w -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" returned non-zero exit status 4:
> iptables v1.8.2 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain INPUT
2020-11-30 14:00:54,359 DEBUG    yunohost.firewall _on_rule_command_error - [3405.1] "ip6tables -w -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT" returned non-zero exit status 4:
> ip6tables v1.8.2 (nf_tables):  RULE_APPEND failed (No such file or directory): rule in chain INPUT
2020-11-30 14:01:02,253 DEBUG    yunohost.hook hook_list - [3405.1] No default hook for action 'post_iptable_rules' in /usr/share/yunohost/hooks/
2020-11-30 14:01:02,253 DEBUG    yunohost.hook hook_list - [3405.1] No custom hook for action 'post_iptable_rules' in /etc/yunohost/hooks.d/

Do you know how I could try to fix this?

Well I don’t know why VPS-provider like so much to preinstall all the bind9 and apache crap …

My guess is that there’s some crap in /etc/resolv.conf that doesn’t point to 127.0.0.1 (which in the case of yunohost is dnsmasq, the local resolver)

Or maybe on the contrary : it does points to 127.0.0.1 and maybe your VPS provider blocks all DNS queries except for a specific server …

So I would try :

dig +short wikipedia.org
dig +short wikipedia.org @8.8.8.8
dig +short wikipedia.org @89.234.141.66
dig +short wikipedia.org @1.1.1.1
1 Like

All the dig requests have the same answer (after about 15 seconds):

;; connection timed out; no servers could be reached

The /etc/resolv.conf file used to be:

nameserver 62.129.252.252

Now it’s:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1

I tried to dig with their nameserver (dig +short wikipedia.org @62.129.252.252) and I got the same timeout result.

I’m suspecting a firewall misconfiguration, especially since the installer complained about some firewall problem. Also, telnet 62.129.252.252 53 takes a long time before I lose my patience and kill it (so it’s still a timeout).

But the rules look OK to me, because the only OUTPUT is ACCEPT:

# iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N f2b-sshd
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A f2b-sshd -j RETURN
# Warning: iptables-legacy tables present, use iptables-legacy to see them
# iptables-legacy -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.