Maintained by: NLnet Labs

[Unbound-users] TCP random timeouts

W.C.A. Wijngaards
Wed Dec 1 08:40:11 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Thomas,

On 12/01/2010 03:43 AM, Thomas Guthmann wrote:
> Re,
> 
>> What was the complaint?  Perhaps it complained about having to increase
>> the ulimit?  Otherwise, it should not complain if you have libevent (and
>> it looks like it works).  ulimit -n shows the number of file descriptors
>> that you allow; unbound tries to increase it (if it has root powers) if
>> you configure it to use lots.
> 
> Yes it was an ulimit complaint about not having enough "open files". So
> I finally decided to change the limits.conf to nofile=4096 to root and
> unbound. Then the warning disappeared. It appeared because I increased
> num-tcp from 10 to 50 and obviously I used more than 1024 - before it
> was 950 + 10 + 10 so it was ok. But I thought that with libevent I
> didn't have to change ulimit. Something seems wrong.

That fixed your problem.

You can also increase to 2048 + 100 + 100 or so and have more headroom.

> It's confusing and hard to know in which mode we are, maybe it would be
> nice to print it when unbound starts (actually it somehow already says
> that with unbound -h).

It is certainly using libevent, it prints that with -h, and if you start
with high verbosity it will print this again in syslog.

So, the libevent is working fine, only your ulimit was in the way of
using many sockets.  If your nofile is low, it stops unbound from
opening network sockets (as every network connection counts as an open
file for that limit).  This is why unbound checks it on start and
reports if there is trouble: it first tries to adjust the ulimit, if
that fails it downsizes its config so that it can run without problems.

Unbound must open 'many network connections' to perform port
randomisation, for anti-spoof resistance.

> To summarize, it looks like I have libevent support but it does not use
> it :)

libevent is fine, its the ulimit that bothered you :-)

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz1+9sACgkQkDLqNwOhpPhHsACfUbI8XxeHeGuT/3Q2tFpQuzv9
Z7UAn1lPCM2nddKx4QSD4tF9dpj8DAvL
=pkjh
-----END PGP SIGNATURE-----