[SOLVED] command dig not working in container in VE 9.1.1

[De Menz]

root@len1:~# dig
root@len1:~#

apt install dnsutils
Note, selecting 'bind9-dnsutils' instead of 'dnsutils'
bind9-dnsutils is already the newest version (1:9.20.18-1ubuntu2.1).
Summary:
Upgrading: 0, Installing: 0, Removing: 0, Not Upgrading: 0

same with nslookup
DNS resolution works with some limitations (DNS error instead of nxdomain)

uname -a
Linux len1 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64 GNU/Linux (ubuntu26.04)
whats wrong?

 

[Stoiko Ivanov]

Hm - could not reproduce dig not providing any output in a container that I installed fresh from the ubuntu 26.04 template (guessed the version based on `1:9.20.18-1ubuntu2.1` version for bind9-dnsutils) - here it produces the root-nameservers:

# dig 

; <<>> DiG 9.20.18-1ubuntu2.1-Ubuntu <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29541
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       72675   IN      NS      l.root-servers.net.
.                       72675   IN      NS      e.root-servers.net.
.                       72675   IN      NS      a.root-servers.net.
.                       72675   IN      NS      b.root-servers.net.
.                       72675   IN      NS      k.root-servers.net.
.                       72675   IN      NS      h.root-servers.net.
.                       72675   IN      NS      c.root-servers.net.
.                       72675   IN      NS      f.root-servers.net.
.                       72675   IN      NS      j.root-servers.net.
.                       72675   IN      NS      i.root-servers.net.
.                       72675   IN      NS      d.root-servers.net.
.                       72675   IN      NS      g.root-servers.net.
.                       72675   IN      NS      m.root-servers.net.

;; Query time: 1 msec
;; SERVER: 192.0.2.53#53(192.0.2.53) (UDP)
;; WHEN: Mon Jun 22 10:50:31 UTC 2026
;; MSG SIZE  rcvd: 239

How does your container config look like?, what's the output of pveversion -v ?

 

[Stoiko Ivanov]

A colleague managed to reproduce the issue locally - I failed because I checked inside tmux or via ssh

It seems the issue is with `/etc/apparmor.d/dig` (or rather the included `/etc/apparmor.d/abstractions/console`)

Could you try the following to verify that any of the changes below fixes the issue for you as well:
* running dig via ssh
* running dig inside tmux on the (GUI) console of your container
* changing the console mode in the container's options from 'Default(tty)' to /dev/console
* adding `/etc/apparmor.d/abstractions/consoles.d/pve-container-console` with content:

/dev/tty[0-9]*     rw,

any single one by itself should produce output in dig (for the changed apparmor abstraction you need to reboot (or reload the apparmor profile of dig).

Thanks!

 

[Stoiko Ivanov]

I sent a patch to add the override for abstractions/consoles to the pve-devel list:
https://lore.proxmox.com/pve-devel/20260622164522.836988-1-s.ivanov@proxmox.com/T/#u

 

[De Menz]

Hello Mr.Ivanov,

thx for yout time.
1.
root@lenovo:~# pveversion -v


Linux lenovo 6.17.2-1-pve #1 SMP PREEMPT_DYNAMIC PMX 6.17.2-1 (2025-10-21T11:55Z) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@lenovo:~# pveversion -v
proxmox-ve: 9.1.0 (running kernel: 6.17.2-1-pve)
pve-manager: 9.1.1 (running version: 9.1.1/42db4a6cf33dac83)
proxmox-kernel-helper: 9.0.4
proxmox-kernel-6.17.2-1-pve-signed: 6.17.2-1
proxmox-kernel-6.17: 6.17.2-1
ceph-fuse: 19.2.3-pve2
corosync: 3.1.9-pve2
criu: 4.1.1-1
frr-pythontools: 10.3.1-1+pve4
ifupdown2: 3.3.0-1+pmx11
intel-microcode: 3.20251111.1~deb13u1
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-5
libproxmox-acme-perl: 1.7.0
libproxmox-backup-qemu0: 2.0.1
libproxmox-rs-perl: 0.4.1
libpve-access-control: 9.0.4
libpve-apiclient-perl: 3.4.2
libpve-cluster-api-perl: 9.0.7
libpve-cluster-perl: 9.0.7
libpve-common-perl: 9.0.15
libpve-guest-common-perl: 6.0.2
libpve-http-server-perl: 6.0.5
libpve-network-perl: 1.2.3
libpve-rs-perl: 0.11.3
libpve-storage-perl: 9.0.18
libspice-server1: 0.15.2-1+b1
lvm2: 2.03.31-2+pmx1
lxc-pve: 6.0.5-3
lxcfs: 6.0.4-pve1
novnc-pve: 1.6.0-3
proxmox-backup-client: 4.0.20-1
proxmox-backup-file-restore: 4.0.20-1
proxmox-backup-restore-image: 1.0.0
proxmox-firewall: 1.2.1
proxmox-kernel-helper: 9.0.4
proxmox-mail-forward: 1.0.2
proxmox-mini-journalreader: 1.6
proxmox-offline-mirror-helper: 0.7.3
proxmox-widget-toolkit: 5.1.2
pve-cluster: 9.0.7
pve-container: 6.0.18
pve-docs: 9.1.0
pve-edk2-firmware: 4.2025.05-2
pve-esxi-import-tools: 1.0.1
pve-firewall: 6.0.4
pve-firmware: 3.17-2
pve-ha-manager: 5.0.8
pve-i18n: 3.6.2
pve-qemu-kvm: 10.1.2-3
pve-xtermjs: 5.5.0-3
qemu-server: 9.0.30
smartmontools: 7.4-pve1
spiceterm: 3.4.1
swtpm: 0.8.0+pve3
vncterm: 1.9.1
zfsutils-linux: 2.3.4-pve1

2.
dig over ssh in container : works
tmux not available on container only tty, tty(x),console, shell
dig in container with tty: fail
consoles.d in /etc/apparmor.d/abstractions not available
/etc/apparmor.d/abstractions/consoles.d/pve-container-console created, aa-teardown and container reboot
aaaaaaannnnnnnndddddddd works!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thx for help
great job

dig working on tty console in container.

problem solved