linux.debian.bugs.dist

Bug#931583: unbound: start timeout if chroot configured


Package: unbound
Version: 1.9.0-2
Severity: normal
Dear Maintainer,
After upgrading from stretch (1.6.0-3+deb9u2) to buster (1.9.0-2)
unbound failed to start with log messages such as the following:
Jul 07 17:18:37 buster systemd`1`: Starting Unbound DNS server...
Jul 07 17:18:37 buster package-helper`12157`: /var/lib/unbound/root.key has content
Jul 07 17:18:37 buster package-helper`12157`: success: the anchor is ok
Jul 07 17:18:37 buster unbound`12161`: `12161:0` notice: init module 0: subnet
Jul 07 17:18:37 buster unbound`12161`: `12161:0` notice: init module 1: validator
Jul 07 17:18:37 buster unbound`12161`: `12161:0` notice: init module 2: iterator
Jul 07 17:18:37 buster unbound`12161`: `12161:0` info: start of service (unbound 1.9.0).
Jul 07 17:20:07 buster systemd`1`: unbound.service: Start operation timed out. Terminating.
Jul 07 17:20:07 buster unbound`12161`: `12161:0` info: service stopped (unbound 1.9.0).
Jul 07 17:20:07 buster unbound`12161`: `12161:0` info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Jul 07 17:20:07 buster unbound`12161`: `12161:0` info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Jul 07 17:20:07 buster systemd`1`: unbound.service: Failed with result 'timeout'.
I eventually determined that this is the result of having chroot
configured, as discussed in #921538. To save others the time I spent
debugging this issue, I propose unbound log an error (and ideally fail
quickly) if chroot is configured in a way that won't work, rather than
causing start to quietly timeout. I would be willing to provide a patch
if there is an agreeable way to achieve this (or to make the chroot
configuration work with systemd).
I would recommend unbound log an error for sd_notify() < 0 (which does
not occur if $NOTIFY_SOCKET is not defined). If that is not acceptable,
perhaps `/usr/lib/unbound/package-helper chroot_setup` could fail and
log an error if $CHROOT_DIR/$NOTIFY_SOCKET is not a socket. (This would
require passing $NOTIFY_SOCKET explicitly, since it is not available in
ExecStartPre.)
How would you like to proceed?
Thanks for considering,
Kevin
P.S. I fixed the timeout by adding a unbound.service override with:
`Service`
BindPaths=/run/systemd/notify:/var/lib/unbound/run/systemd/notify
If there isn't a plan to make chroot work automatically (which is
difficult since BindPath can't be set using systemctl set-property)
I could add instructions to README.Debian as part of the patch.
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages unbound depends on:
ii adduser 3.118
ii dns-root-data 2019031302
ii libc6 2.28-10
ii libevent-2.1-6 2.1.8-stable-4
ii libfstrm0 0.4.0-1
ii libprotobuf-c1 1.3.1-1+b1
ii libpython3.7 3.7.3-2
ii libssl1.1 1.1.1c-1
ii libsystemd0 241-5
ii lsb-base 10.2019051400
ii openssl 1.1.1c-1
ii unbound-anchor 1.9.0-2
unbound recommends no packages.
Versions of packages unbound suggests:
ii apparmor 2.13.2-10
-- Configuration Files:
/etc/unbound/unbound.conf changed `not included`
-- no debconf information




Written by Kevin Locke 08/07/2019 00:00:01
Check some pics on this site!
22/07/2019 05:44:57