[Unbound-users] Troubleshooting occasional "Permission denied" errors?

Discussion:

Tom Samplonius

2015-06-16 07:14:42 UTC

I’m seeing some Permission denied errors in the log:

Jun 15 19:51:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:02:03 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:19:51 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:32:35 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:55:43 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:00:05 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:25:44 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:30:26 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:33:38 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:41:51 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:48:41 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 21:52:04 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:00:55 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:01:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 22:03:38 dns2 unbound: [18520:1] error: can't bind socket: Permission denied

Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.

I suspect it may be a conflict between the random port algorithm and something else running on this server, though I don’t know what it could be. The error message would be more helpful if it included a port number and possibly the source IP. I have not set outgoing_interface, or made any changes to the port selection options, so Unbound is using defaults.

How do I track this down? Would version 1.5.3 fix this? 1.4.20 is from CentOS 7 base repo.

Tom

Yuri Schaeffer

2015-06-16 07:55:34 UTC

Permalink

Hi Tom,
Could you have a look at this discussion from last October? There are
a couple of suggestions mentioned there.

https://unbound.nlnetlabs.nl/pipermail/unbound-users/2014-October/003552
.html

Regards,
Yuri

Jarno Huuskonen

2015-06-16 10:44:50 UTC

Permalink

Hi,

Post by Tom Samplonius
Jun 15 19:51:56 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Jun 15 20:02:03 dns2 unbound: [18520:1] error: can't bind socket: Permission denied
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.

Are you running with selinux enabled ?

Check selinux audit log (/var/log/audit/audit.log), denied ports might be
logged there. Or try with something like this in unbound.conf:
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546

(I think I got selinux denied for (at least) these two ports).

-Jarno

--
Jarno Huuskonen

Paul Wouters

2015-06-16 14:55:37 UTC

Permalink

Post by Jarno Huuskonen

Post by Tom Samplonius
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.

Are you running with selinux enabled ?
Check selinux audit log (/var/log/audit/audit.log), denied ports might be
outgoing-port-avoid: 8953
outgoing-port-avoid: 5546
(I think I got selinux denied for (at least) these two ports).

the fedora config ships with:

outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767

I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.

Paul

Tom Samplonius

2015-06-17 02:20:37 UTC

Permalink

Post by Paul Wouters

Post by Jarno Huuskonen

Post by Tom Samplonius
Unbound seems to be running normally, and appears to be answer all queries normally. It is version 1.4.20 on CentOS 7.

outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767
I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.

I don’t know what else is using those ports of my server (or blocking access to these ports), but adding that config to unbound.conf has eliminated the “Permission denied” errors that I was seeing.

Also, any idea what the closest-to-official way to upgrade a RHEL7-like system to Unbound 1.5.x is?

Tom

Paul Wouters

2015-06-17 02:36:44 UTC

Permalink

Post by Tom Samplonius

Post by Paul Wouters

Post by Jarno Huuskonen
(I think I got selinux denied for (at least) these two ports).

outgoing-port-permit: 32768-65535
outgoing-port-avoid: 0-32767
I see the rhel7 build is missing those lines. I will file a bug report
for RHEL7.

I don’t know what else is using those ports of my server (or blocking access to these ports), but adding that config to unbound.conf has eliminated the “Permission denied” errors that I was seeing.
Also, any idea what the closest-to-official way to upgrade a RHEL7-like system to Unbound 1.5.x is?

You can probably just grab a fedora 21, 22 or source rpm of unbound and
recompile it on rhel7:

wget https://kojipkgs.fedoraproject.org//packages/unbound/1.5.3/8.fc22/src/unbound-1.5.3-8.fc22.src.rpm
rpm -hiv unbound-1.5.3-8.fc22.src.rpm
rpmbuild -ba ~/rpmbuild/SPECS/unbound.spec

Paul

Tom Samplonius

2015-06-17 00:17:46 UTC

Permalink

Post by Jarno Huuskonen
Hi,

Yes, I run SELinux in enforcing mode. But audit.log has no rejections for anything.

That is another reason why I suspect either a conflict with another process of an Unbound bug in 1.4.20

Post by Jarno Huuskonen
-Jarno

Tom

Continue reading on narkive:

Search results for '[Unbound-users] Troubleshooting occasional "Permission denied" errors?' (Questions and Answers)

733

replies

How do you protect yourself against computer viruses?

started 2010-02-07 19:54:16 UTC

computers & internet