Maintained by: NLnet Labs

[Unbound-users] unbound crashing on FreeBSD

W.C.A. Wijngaards
Thu Jan 30 15:52:39 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mathieu,

On 01/30/2014 03:42 PM, W.C.A. Wijngaards wrote:
> Hi Mathieu,
> 
> On 01/30/2014 03:25 PM, Mathieu Arnold wrote:
>> Hi,
> 
>> I've upgraded one of my resolvers to FreeBSD 10.0, and since
>> then, unbound (1.4.21) crashes regularly (about once a day) with,
>> say :
> 
>> Jan 30 12:49:45 resolver3 unbound: [96044:2] fatal error: 
>> event_dispatch returned error -1, errno is Capabilities 
>> insufficient
> 
>> Any hints on what may be wrong ?
> 
> FreeBSD 10.  Does that have a fine-grained user capabilities
> thing? event_dispatch would run kqueue for unbound (if you compiled
> with libevent).  Does it not have permission to use kqueue?
> 
> Without an event loop there is very little that unbound can do; no 
> events means no information about network sockets.
> 
> If you compile --without-libevent, then unbound uses select()
> which may avoid this.
> 
> Perhaps this is about the number of sockets opened?  The 
> filedescriptor count in the ulimit structure?   You configured
> unbound for high performance with many open sockets, but when it
> does (when it gets busy once a day) the OS gives this error?
> Strange because unbound checks the rlimits (resource limits) when
> it starts.  Does it run out of memory, i.e. about once a day the
> cache fills up and something set the ulimit on heap-size or
> something like to, say, 1G but you configured unbound to use 2G,
> and when it crosses the 1G line it gets killed (but weird that
> kqueue gives an error).

It is not the number of sockets or the heap limits, but capsicum.

> 
> What version of libevent are you using?

- From FreeBSD documentation I learned that this errno indicates that
the capabilities associated with a socket did not permit an operation
to be performed.  One of the capabilities is the capability to use the
kqueue socket for kqueue polling.  But no doubt there are also other
capabilities.  It says capabilities can be reduced but not expanded by
the program.  This is great, but why does a particular fd have its
capabilities reduced (unbound does not mess with socket capabilities)?

I have no idea why the capability reduction happens.  ktrace is
probably too expensive in its logging fervor?

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS6mc3AAoJEJ9vHC1+BF+NIbIP/Ah4OqGAxeCKiZ7dhCnr5ZzS
pVqiHGAxILgmDXld1mxx3Xz6Vvx6gzNTEXQ4v1T3Q2+oWtQ2+y9djRLs1AnMShEe
Gs3ZkB1H3ApZkhY25lyxy+AMPipsFdIWK/kj2SvdiPyxjanKV15WH3JG3vLS+c8S
eqLPOjB/VQ6qMgzURI+1d8XjKcNSL/gm5yEK0jhTdqjqQDS98sJroWf1kvhXAmZJ
DsOufwsW6AYkBHU/QvZK+ApKE+hG/6zekEj8X3SCB3lL8v1828YnAlefgG+cuvum
VgmcTbRXcTAxlj0FCZeNsYizgvGMo8vjbgbqfLpSPc5MOKo+AsS2Q/XLTrV4iUK2
/FWrw8yn3GQ9IX623OzmlIvIQl+8ofuTWM9cciv1ThzaViJPcSDI3BI6WkIQK0hA
cnRZLoXztHAcCbliPjTUih5wCSFdUK680mje5oQs+1yl0s6OpjS6UQzAnL2FtSYb
zcVp1QmUYYmLt0GHmaHSkbpnZo7Y8JBxVOB4tNQnwhXG5ePFje2n6Fiu93xrJfby
yC5loolv/uEqTDri7V97Fe9DdrBTvNseK+iSmuLvWQOyZHnGvSxlXGlvtbVK9SiJ
DCDzH8YRKOrB4CK/JBwXG9eoqWOsIgI4oZpU3p/E7WFUh+B+eme6yMsnRHstuK/6
XdcTbm6GT+dHp89Zhs66
=iG58
-----END PGP SIGNATURE-----