Bug 1530661 - knot-resolver fails systemd socket activation on CentOS 7
Summary: knot-resolver fails systemd socket activation on CentOS 7
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: knot-resolver
Version: epel7
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Tomas Krizek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-03 15:27 UTC by Karl-Johan Karlsson
Modified: 2018-03-06 17:31 UTC (History)
2 users (show)

Fixed In Version: knot-resolver-2.1.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-03-06 17:31:22 UTC


Attachments (Terms of Use)

Description Karl-Johan Karlsson 2018-01-03 15:27:31 UTC
Description of problem:

I'm trying to run knot-resolver out of EPEL on CentOS 7.4.1708. Systemd opens a socket for it, but the daemon never starts, leaving these error messages in syslog:

   kresd: [system] bind to '127.0.0.1@53' Permission denied
   kresd: [system] bind to '::1@53' Permission denied

Which is weird, because the systemd unit files shipped in the package set up socket activation, which (according to the documentation at https://knot-resolver.readthedocs.io/en/stable/daemon.html#running-supervised ) should work automatically.

Looking at the source code, the socket activation code is within "#ifdef HAS_SYSTEMD" guards. Looking at the Makefile, this #define is set if libsystemd of version 227 or above is detected. This test was added in commit 50eebc07, in august of 2016 (first released in knot-resolver-1.1.0), with the comment that the sd_listen_fds_with_names() function call requires this version. CentOS 7 has version 219:

   $ rpm -qf /usr/lib64/libsystemd.so
   systemd-devel-219-42.el7_4.4.x86_64

Sure enough, when I fetch the SRPM and rebuild it, the Makefile does not detect systemd:

   [no] systemd (daemon)

Version-Release number of selected component (if applicable): knot-resolver-1.5.0-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. yum -y install bind-utils knot-resolver-1.5.0-1.el7.x86_64
2. systemctl start kresd.socket
3. dig @localhost a a.root-servers.net

Actual results:

kresd doesn't start.

dig fails:
   ;; connection timed out; no servers could be reached

/var/log/messages contains:
   kresd: [system] bind to '127.0.0.1@53' Permission denied
   kresd: [system] bind to '::1@53' Permission denied
   [...]
   systemd: start request repeated too quickly for kresd.service
   systemd: Failed to start Knot DNS Resolver daemon.
   systemd: Unit kresd.socket entered failed state.
   systemd: kresd.service failed.


Expected results:

kresd should start and answer the query.


Additional info:

I assume an updated systemd isn't possible for CentOS, so can we get a unit file that starts kresd as a normal daemon instead of using socket activation?

Comment 1 Karl-Johan Karlsson 2018-01-03 15:29:54 UTC
I have read bug #1366968 and am running with SELinux disabled.

Comment 2 Fedora Update System 2018-01-23 19:16:57 UTC
knot-resolver-1.5.3-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-24ac4ff7df

Comment 3 Fedora Update System 2018-01-25 07:42:49 UTC
knot-resolver-1.5.3-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-24ac4ff7df

Comment 4 Karl-Johan Karlsson 2018-01-25 10:49:13 UTC
I tried knot-resolver-1.5.3-1.el7 on CentOS 7.4.1708. The provided socket activation-based unit file still doesn't work, but the one running as a regular daemon does.

Comment 5 Tomas Krizek 2018-01-25 11:04:55 UTC
Unfortunately, socket activation isn't going to work on CentOS 7, since the upstream uses certain functions that are only available in newer systemd.

Comment 6 Karl-Johan Karlsson 2018-01-25 11:58:13 UTC
Yes, I know. My point is that shipping a configuration that is never going to work alongside a working one is a bit confusing for the user.

Comment 7 Tomas Krizek 2018-01-25 12:35:06 UTC
I agree. I'll remove the unnecessary socket unit files in the future releases.

Comment 8 Fedora Update System 2018-02-19 11:14:47 UTC
knot-resolver-2.1.0-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-cee77fc9b3

Comment 9 Fedora Update System 2018-02-19 18:03:26 UTC
knot-resolver-2.1.0-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-cee77fc9b3

Comment 10 Fedora Update System 2018-03-06 17:31:22 UTC
knot-resolver-2.1.0-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.