Discussion:
[Unbound-users] Troubleshooting occasional "Permission denied" errors?
Tom Samplonius
2015-06-16 07:14:42 UTC
Permalink
I’m seeing some Permission denied errors in the log:

Jun 15 19:51:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:02:03 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:19:51 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:32:35 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:55:43 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:00:05 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:25:44 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:30:26 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:33:38 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:41:51 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:48:41 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:52:04 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:00:55 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:01:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:03:38 dns2 unbound: [18520:1] error: can't bind socket: Permission denied


Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.

I suspect it may be a conflict between the random port algorithm and something else running on this server, though I don’t know what it could be. The error message would be more helpful if it included a port number and possibly the source IP. I have not set outgoing_interface, or made any changes to the port selection options, so Unbound is using defaults.

How do I track this down? Would version 1.5.3 fix this? 1.4.20 is from CentOS 7 base repo.


Tom
Yuri Schaeffer
2015-06-16 07:55:34 UTC
Permalink
Hi Tom,
Could you have a look at this discussion from last October? There are
a couple of suggestions mentioned there.

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2014-October/003552
.html

Regards,
Yuri
Jarno Huuskonen
2015-06-16 10:44:50 UTC
Permalink
Hi,
Post by Tom Samplonius
Jun 15 19:51:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:02:03 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.
Are you running with selinux enabled ?

Check selinux audit log (/var/log/audit/audit.log), denied ports might be
logged there. Or try with something like this in unbound.conf:
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546

(I think I got selinux denied for (at least) these two ports).

-Jarno
--
Jarno Huuskonen
Paul Wouters
2015-06-16 14:55:37 UTC
Permalink
Post by Jarno Huuskonen
Post by Tom Samplonius
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.
Are you running with selinux enabled ?
Check selinux audit log (/var/log/audit/audit.log), denied ports might be
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546
(I think I got selinux denied for (at least) these two ports).
the fedora config ships with:

outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767

I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.

Paul
Tom Samplonius
2015-06-17 02:20:37 UTC
Permalink
Post by Paul Wouters
Post by Jarno Huuskonen
Post by Tom Samplonius
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.
Are you running with selinux enabled ?
Check selinux audit log (/var/log/audit/audit.log), denied ports might be
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546
(I think I got selinux denied for (at least) these two ports).
outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767
I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.
I don’t know what else is using those ports of my server (or blocking access to these ports), but adding that config to unbound.conf has eliminated the “Permission denied” errors that I was seeing.

Also, any idea what the closest-to-official way to upgrade a RHEL7-like system to Unbound 1.5.x is?


Tom
Paul Wouters
2015-06-17 02:36:44 UTC
Permalink
Post by Tom Samplonius
Post by Paul Wouters
Post by Jarno Huuskonen
(I think I got selinux denied for (at least) these two ports).
outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767
I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.
I don’t know what else is using those ports of my server (or blocking access to these ports), but adding that config to unbound.conf has eliminated the “Permission denied” errors that I was seeing.
Also, any idea what the closest-to-official way to upgrade a RHEL7-like system to Unbound 1.5.x is?
You can probably just grab a fedora 21, 22 or source rpm of unbound and
recompile it on rhel7:

wget https://kojipkgs.fedoraproject.org//packages/unbound/1.5.3/8.fc22/src/unbound-1.5.3-8.fc22.src.rpm
rpm -hiv unbound-1.5.3-8.fc22.src.rpm
rpmbuild -ba ~/rpmbuild/SPECS/unbound.spec


Paul

Tom Samplonius
2015-06-17 00:17:46 UTC
Permalink
Post by Jarno Huuskonen
Hi,
Post by Tom Samplonius
Jun 15 19:51:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:02:03 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.
Are you running with selinux enabled ?
Check selinux audit log (/var/log/audit/audit.log), denied ports might be
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546
(I think I got selinux denied for (at least) these two ports).
Yes, I run SELinux in enforcing mode. But audit.log has no rejections for anything.

That is another reason why I suspect either a conflict with another process of an Unbound bug in 1.4.20
Post by Jarno Huuskonen
-Jarno
Tom
Loading...