OpenStack-Ansible

Unbound listening on all interfaces

Bug #1761785 reported by Mohammed Naser
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Low
Unassigned

Bug Description

By default, unbound is listening on all interfaces which means on a metal deployment with containers along side it, it will try to listen on the interface which is managed by dnsmasq-lxc and fail

Jean-Philippe Evrard (jean-philippe-evrard)
Changed in openstack-ansible:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Benoît Knecht (benoit-knecht) wrote :
Download full text (4.0 KiB)

It also makes deployments in Ubuntu 18.04 containers fail, because systemd-resolved is already listening on 127.0.0.53:53:

RUNNING HANDLER [unbound : Restart unbound] ***********************************************************************************************************************************************************************************************************************************************************************************
fatal: [controller-dc1r02n01_unbound_container-fbb6fb41]: FAILED! => {"changed": false, "msg": "Unable to restart service unbound: Job for unbound.service failed because the control process exited with error code.\nSee \"systemctl status unbound.service\" and \"journalctl -xe\" for details.\n"}
fatal: [controller-dc1r02n02_unbound_container-dcf7247c]: FAILED! => {"changed": false, "msg": "Unable to restart service unbound: Job for unbound.service failed because the control process exited with error code.\nSee \"systemctl status unbound.service\" and \"journalctl -xe\" for details.\n"}
fatal: [controller-dc1r02n03_unbound_container-b04165bc]: FAILED! => {"changed": false, "msg": "Unable to restart service unbound: Job for unbound.service failed because the control process exited with error code.\nSee \"systemctl status unbound.service\" and \"journalctl -xe\" for details.\n"}

root@controller-dc1r02n01-unbound-container-fbb6fb41:~# journalctl -eu unbound.service
Nov 27 16:06:42 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: Starting Unbound DNS server...
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 package-helper[1047]: /var/lib/unbound/root.key has content
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 package-helper[1047]: success: the anchor is ok
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 unbound[1051]: [1543334803] unbound[1051:0] error: can't bind socket: Address already in use fo
r 0.0.0.0
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 unbound[1051]: [1543334803] unbound[1051:0] fatal error: could not open ports
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Main process exited, code=exited, status=1
/FAILURE
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: Failed to start Unbound DNS server.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Service hold-off time over, scheduling restart.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: Stopped Unbound DNS server.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Start request repeated too quickly.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: unbound.service: Failed with result 'exit-code'.
Nov 27 16:06:43 controller-dc1r02n01-unbound-container-fbb6fb41 systemd[1]: Failed to start Unbound DNS...

Read more...

Revision history for this message
Jonathan Senecal (jsenecal) wrote :

I encountered the same issue and fixed it by setting ```unbound_listen_interface: "{{ ansible_eth1.ipv4.address }}"``` in user_variables.yml as well to be able to install in Ubuntu 18.04 containers, because systemd-resolved was already listening on 127.0.0.53:53.

This is, I think, the only place where this issue is documented as I couldn't find any other workaround.

This needs to either:
a) be documented
b) have better default settings

Revision history for this message
Antoine Thys (thystips) wrote :

For me usage of ```unbound_listen_interface: "{{ ansible_eth1.ipv4.address }}"``` doesn't work. Instead you can use ```unbound_listen_interface: "{{ hostvars[inventory_hostname]['management_address'] }}"``` to listen on unbound container management interface (eth1).

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Since Victoria you can use unbound_listen_interface: "{{ openstack_service_bind_address }}". I'm not sure what release you're running though.

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

So finally close this bug report, I've pushed PR:
https://github.com/noonedeadpunk/ansible-role-unbound/pull/9

Changed in openstack-ansible:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.