Bug 499793

Summary: unbound fails on startup when called from init
Product: [Fedora] Fedora EPEL Reporter: Noa Resare <noa>
Component: unboundAssignee: Paul Wouters <pwouters>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: el5CC: pwouters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-20 16:13:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noa Resare 2009-05-08 08:16:41 UTC 
Description of problem:
When unbound is added to the startup sequence it fails with the message in /var/log/messages reproduced below. When starting the service interactively using /sbin/service, the error condition is not triggered


Version-Release number of selected component (if applicable):
unbound-1.2.0-4.el5

How reproducible:
always

Steps to Reproduce:
1. install unbound 'yum -y install unbound' on an updated vanilla machine
2. add unbound to the init startup sequence: '/sbin/chkconfig unbound on'
3. reboot the machine
  
Actual results:
[root@node0 sysconfig]# /sbin/service unbound status
unbound dead but pid file exists

Expected results:
[root@node0 sysconfig]# /sbin/service unbound status
unbound (pid 2112) is running...

Additional info:
The syslog from the restart contains the following section:

May  8 09:54:02 node0 unbound: [1629:0] notice: init module 0: validator
May  8 09:54:02 node0 unbound: [1629:0] notice: init module 1: iterator
May  8 09:54:02 node0 unbound: [1629:0] error: Error setting up SSL_CTX key and cert crypto error:0200100D:system library:fopen:Permission denied
May  8 09:54:02 node0 unbound: [1629:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
May  8 09:54:02 node0 unbound: [1629:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
May  8 09:54:02 node0 unbound: [1629:0] fatal error: Could not initialize main thread


I checked to see if this problem persists in the latest development version (r1622) from the unbound project and indeed it is still there, however the error message has been somewhat updated:


May  8 10:07:04 node0 unbound: [1565:0] notice: init module 1: iterator
May  8 10:07:04 node0 unbound: [1565:0] error: Error for server-cert-file: /etc/unbound/unbound_server.pem
May  8 10:07:04 node0 unbound: [1565:0] error: Error in SSL_CTX use_certificate_file crypto error:0200100D:system library:fopen:Permission denied
May  8 10:07:04 node0 unbound: [1565:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
May  8 10:07:04 node0 unbound: [1565:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
May  8 10:07:04 node0 unbound: [1565:0] fatal error: Could not initialize main thread

Now, the logfile points the blame towards /etc/unbound/unbound_server.pem
Assigning the group 'unbound' to all files in /etc/unbound works around this problem, as expected.
Comment 1 Noa Resare 2009-05-20 11:37:03 UTC 
The real fix to this issue is suggested on http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=251 and the upstream maintainer plans to implement it for unbound-1.3.1.

The fact that the problem can be worked around by starting the service interactively in 1.2.1-4 is due to a bug that has been fixed in current unbound svn head. See http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=250

In the interim, since this is an issue that probably causes some confusion to new users I would suggest that you patch the unbound.conf file that ships with the package to read "control-enable: no" in the remote-control section. This bypasses the startup failure originally described above (which definitely counts as non-obvious).
Comment 2 Paul Wouters 2009-05-20 16:13:25 UTC 
Fixed in 1.2.1-1 for EL-5 and in 1.2.1-6 in rawhide. Also in next releases in F-*