Bug 1328047

Summary: unbound-checkconf fails to detect control keys until first start of daemon
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: unboundAssignee: Tomáš Hozza <thozza>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: psimerda, rskvaril, thozza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-17 10:38:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Abhijeet Kasurde 2016-04-18 10:00:31 UTC 
Description of problem:
Running unbound-checkconf before starting unbound server throws error 

[root@server1 ~]# unbound-checkconf 
/etc/unbound/unbound_server.key: No such file or directory
[1460972952] unbound-checkconf[1903:0] fatal error: server-key-file: "/etc/unbound/unbound_server.key" does not exist

But if one starts unbound and then runs unbound-checkconf then 

[root@server1 ~]# systemctl start unbound
[root@server1 ~]# unbound-checkconf 
unbound-checkconf: no errors in /etc/unbound/unbound.conf


Version-Release number of selected component (if applicable):
unbound-1.4.20-26.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. install unbound
2. configure unbound for bare minimum requirement
3. run unbound-checkconf and observe error
4. start server and run unbound-checkconf


Actual results:
unbound-checkconf complains about non-existent control keys.

Expected results:
1. unbound-checkconf should notify user to create keys 
or
2. suggest user to start unbound server for first time
or
3. suggest user to create control keys for checking configuration file without starting unbound server
Comment 2 Pavel Šimerda (pavlix) 2016-05-23 08:31:30 UTC 
(In reply to Abhijeet Kasurde from comment #0)
> Description of problem:
> Running unbound-checkconf before starting unbound server throws error 
> 
> [root@server1 ~]# unbound-checkconf 
> /etc/unbound/unbound_server.key: No such file or directory
> [1460972952] unbound-checkconf[1903:0] fatal error: server-key-file:
> "/etc/unbound/unbound_server.key" does not exist
> 
> But if one starts unbound and then runs unbound-checkconf then 
> 
> [root@server1 ~]# systemctl start unbound
> [root@server1 ~]# unbound-checkconf
> unbound-checkconf: no errors in /etc/unbound/unbound.conf

Hi,

the problem description is clear.

> 3. suggest user to create control keys for checking configuration file
> without starting unbound server

I wonder whether we want to keep a patch just to add an additional message to the user. But it is an option indeed.

4. What about running the right service from unbound-checkconf and let the keys be created? Would it be acceptable at all to trigger key creation just by running unbound-checkconf?

I would choose between the two options above or no change at all.
Comment 3 Tomáš Hozza 2016-05-23 09:43:58 UTC 
(In reply to Pavel Šimerda (pavlix) from comment #2)
> (In reply to Abhijeet Kasurde from comment #0)
> > Description of problem:
> > Running unbound-checkconf before starting unbound server throws error 
> > 
> > [root@server1 ~]# unbound-checkconf 
> > /etc/unbound/unbound_server.key: No such file or directory
> > [1460972952] unbound-checkconf[1903:0] fatal error: server-key-file:
> > "/etc/unbound/unbound_server.key" does not exist
> > 
> > But if one starts unbound and then runs unbound-checkconf then 
> > 
> > [root@server1 ~]# systemctl start unbound
> > [root@server1 ~]# unbound-checkconf
> > unbound-checkconf: no errors in /etc/unbound/unbound.conf
> 
> Hi,
> 
> the problem description is clear.
> 
> > 3. suggest user to create control keys for checking configuration file
> > without starting unbound server
> 
> I wonder whether we want to keep a patch just to add an additional message
> to the user. But it is an option indeed.

No, we don't want to keep any downstream patches.

> 4. What about running the right service from unbound-checkconf and let the
> keys be created? Would it be acceptable at all to trigger key creation just
> by running unbound-checkconf?

If by "running the right service from unbound-checkconf" you mean executing systemctl from the code, then this is IMHO not something the upstream would accept, as it is distribution and OS specific thing.

I think the error message is clear in a way, that the (default) configuration contains path / name of the key used by the unbound server and the file does not exist.

The man page of unbound.conf says WRT server-key-file option, that "This file is generated by the unbound-control-setup utility."

I think that the error message provides the user enough information to determine that there is some issue with the configuration, specifically that key defined by server-key-file option does not exist. The man page for unbound.conf specifies that the key file is generated by running unbound-control-setup.

Generating the key during package installation is not something we want to do, because it could take extensive time on machines with not enough entropy (e.g. newly created VM).

The best we can do is to write KCS article describing that if the user wants to run unbound-checkconf before starting unbound, then they must run the unbound-keygen.service first.

Please also note that the nbound-checkconf is run before each start of unbound.

> I would choose between the two options above or no change at all.
Comment 5 Pavel Šimerda (pavlix) 2016-06-17 10:38:40 UTC 
We have published a solution article for this issue:

https://access.redhat.com/solutions/2356001

We do not plan any changes in the package itself.
Comment 6 Martin Osvald 🛹 2019-06-18 10:12:40 UTC 
*** Bug 1425163 has been marked as a duplicate of this bug. ***