Bug 499793 - unbound fails on startup when called from init
unbound fails on startup when called from init
Status: CLOSED NEXTRELEASE
Product: Fedora EPEL
Classification: Fedora
Component: unbound (Show other bugs)
el5
All Linux
low Severity high
: ---
: ---
Assigned To: Paul Wouters
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-08 04:16 EDT by Noa Resare
Modified: 2009-05-20 12:13 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-05-20 12:13:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Noa Resare 2009-05-08 04:16:41 EDT
Description of problem:
When unbound is added to the startup sequence it fails with the message in /var/log/messages reproduced below. When starting the service interactively using /sbin/service, the error condition is not triggered


Version-Release number of selected component (if applicable):
unbound-1.2.0-4.el5

How reproducible:
always

Steps to Reproduce:
1. install unbound 'yum -y install unbound' on an updated vanilla machine
2. add unbound to the init startup sequence: '/sbin/chkconfig unbound on'
3. reboot the machine
  
Actual results:
[root@node0 sysconfig]# /sbin/service unbound status
unbound dead but pid file exists

Expected results:
[root@node0 sysconfig]# /sbin/service unbound status
unbound (pid 2112) is running...

Additional info:
The syslog from the restart contains the following section:

May  8 09:54:02 node0 unbound: [1629:0] notice: init module 0: validator
May  8 09:54:02 node0 unbound: [1629:0] notice: init module 1: iterator
May  8 09:54:02 node0 unbound: [1629:0] error: Error setting up SSL_CTX key and cert crypto error:0200100D:system library:fopen:Permission denied
May  8 09:54:02 node0 unbound: [1629:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
May  8 09:54:02 node0 unbound: [1629:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
May  8 09:54:02 node0 unbound: [1629:0] fatal error: Could not initialize main thread


I checked to see if this problem persists in the latest development version (r1622) from the unbound project and indeed it is still there, however the error message has been somewhat updated:


May  8 10:07:04 node0 unbound: [1565:0] notice: init module 1: iterator
May  8 10:07:04 node0 unbound: [1565:0] error: Error for server-cert-file: /etc/unbound/unbound_server.pem
May  8 10:07:04 node0 unbound: [1565:0] error: Error in SSL_CTX use_certificate_file crypto error:0200100D:system library:fopen:Permission denied
May  8 10:07:04 node0 unbound: [1565:0] error: and additionally crypto error:20074002:BIO routines:FILE_CTRL:system lib
May  8 10:07:04 node0 unbound: [1565:0] error: and additionally crypto error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
May  8 10:07:04 node0 unbound: [1565:0] fatal error: Could not initialize main thread

Now, the logfile points the blame towards /etc/unbound/unbound_server.pem
Assigning the group 'unbound' to all files in /etc/unbound works around this problem, as expected.
Comment 1 Noa Resare 2009-05-20 07:37:03 EDT
The real fix to this issue is suggested on http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=251 and the upstream maintainer plans to implement it for unbound-1.3.1.

The fact that the problem can be worked around by starting the service interactively in 1.2.1-4 is due to a bug that has been fixed in current unbound svn head. See http://www.nlnetlabs.nl/bugs/show_bug.cgi?id=250

In the interim, since this is an issue that probably causes some confusion to new users I would suggest that you patch the unbound.conf file that ships with the package to read "control-enable: no" in the remote-control section. This bypasses the startup failure originally described above (which definitely counts as non-obvious).
Comment 2 Paul Wouters 2009-05-20 12:13:25 EDT
Fixed in 1.2.1-1 for EL-5 and in 1.2.1-6 in rawhide. Also in next releases in F-*

Note You need to log in before you can comment on or make changes to this bug.