Discussion:
Update to Linux 4.10.1-1 Broke Bind9 /etc/named.conf never reached on startup
(too old to reply)
David C. Rankin
2017-03-12 14:00:37 UTC
Permalink
Raw Message
All,

After update to Linux 4.10.1-1, Bind9 cannot connect to 127.0.0.1#953. This
server has been flawless with Bind for 4 years. Now, for example attempting to
sync zones:

# rndc -V sync --clean
create memory context
create socket manager
create task manager
create task
create logging context
setting log tag
creating log channel
enabling log channel
create parser
get key
decode base64 secret
allocate data buffer
sync
post event
using server 127.0.0.1 (127.0.0.1#953)
create socket
bind socket
connect
rndc: connect failed: 127.0.0.1#953: connection refused

This began with the March 10 update. Now attempting to stop named results in
a timeout:

Mar 12 08:45:18 phoinix systemd[1]: Stopped Internet domain name server.
Mar 12 08:45:18 phoinix systemd[1]: named.service: Unit entered failed state.
Mar 12 08:45:18 phoinix systemd[1]: named.service: Failed with result 'timeout'.

Attempting to start named, named never loads the zone files and never
processes the libseccomp sandboxing active command during startup. Now, the
total startup for named in the journal is:

Mar 10 18:43:53 phoinix named[452]: starting BIND 9.11.0-P3 <id:4801fbc>
Mar 10 18:43:53 phoinix named[452]: running on Linux x86_64 4.10.1-1-ARCH #1
SMP PREEMPT Sun Feb 26 21:08:53 UTC 2017
Mar 10 18:43:53 phoinix named[452]: built with '<snip stuff>'
Mar 10 18:43:53 phoinix named[452]: running as: named -f -u named
Mar 10 18:43:53 phoinix named[452]:
----------------------------------------------------
Mar 10 18:43:53 phoinix named[452]: BIND 9 is maintained by Internet Systems
Consortium,
Mar 10 18:43:53 phoinix named[452]: Inc. (ISC), a non-profit 501(c)(3)
public-benefit
Mar 10 18:43:53 phoinix named[452]: corporation. Support and training for
BIND 9 are
Mar 10 18:43:53 phoinix named[452]: available at https://www.isc.org/support
Mar 10 18:43:53 phoinix named[452]:
----------------------------------------------------
Mar 10 18:43:53 phoinix named[452]: adjusted limit on open files from 4096 to
1048576
Mar 10 18:43:53 phoinix named[452]: found 4 CPUs, using 4 worker threads
Mar 10 18:43:53 phoinix named[452]: using 3 UDP listeners per interface
Mar 10 18:43:53 phoinix named[452]: using up to 4096 sockets

Where normally, the startup should continue with, e.g.:

Feb 21 14:15:38 phoinix named[442]: libseccomp sandboxing active
Feb 21 14:15:38 phoinix named[442]: loading configuration from '/etc/named.conf'
Feb 21 14:15:38 phoinix named[442]: reading built-in trusted keys from file
'/etc/bind.keys'
Feb 21 14:15:38 phoinix named[442]: initializing GeoIP Country (IPv4) (type 1) DB
Feb 21 14:15:38 phoinix named[442]: GEO-106FREE 20170207 Build 1 Copy
Feb 21 14:15:38 phoinix named[442]: initializing GeoIP Country (IPv6) (type 12) DB
Feb 21 14:15:38 phoinix named[442]: GEO-106FREE 20170207 Build 1 C
Feb 21 14:15:38 phoinix named[442]: GeoIP City (IPv4) (type 2) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP City (IPv4) (type 6) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP City (IPv6) (type 30) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP City (IPv6) (type 31) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP Region (type 3) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP Region (type 7) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP ISP (type 4) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP Org (type 5) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP AS (type 9) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP Domain (type 11) DB not available
Feb 21 14:15:38 phoinix named[442]: GeoIP NetSpeed (type 10) DB not available
Feb 21 14:15:38 phoinix named[442]: using default UDP/IPv4 port range: [32768,
60999]
Feb 21 14:15:38 phoinix named[442]: using default UDP/IPv6 port range: [32768,
60999]
Feb 21 14:15:38 phoinix named[442]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 21 14:15:38 phoinix named[442]: listening on IPv4 interface enp0s10,
192.168.7.16#53
Feb 21 14:15:38 phoinix named[442]: generating session key for dynamic DNS
Feb 21 14:15:38 phoinix named[442]: sizing zone task pool based on 5 zones
Feb 21 14:15:38 phoinix named[442]: 'max-cache-size 90%' - setting to 7189MB
(out of 7988MB)
Feb 21 14:15:38 phoinix named[442]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Feb 21 14:15:38 phoinix named[442]: automatic empty zone: 10.IN-ADDR.ARPA
Feb 21 14:15:38 phoinix named[442]: automatic empty zone: 16.172.IN-ADDR.ARPA
Feb 21 14:15:38 phoinix named[442]: automatic empty zone: 17.172.IN-ADDR.ARPA
Feb 21 14:15:38 phoinix named[442]: automatic empty zone: 18.172.IN-ADDR.ARPA
Feb 21 14:15:38 phoinix named[442]: automatic empty zone: 19.172.IN-ADDR.ARPA

For some reason the 'libseccomp sandboxing active' command never issues and
/etc/named.conf is never processed. I have not touched the configuration here
in a "long long time..."

Is this a kernel bug, a libseccomp bug, what?
--
David C. Rankin, J.D.,P.E.
David C. Rankin
2017-03-12 14:24:10 UTC
Permalink
Raw Message
Post by David C. Rankin
For some reason the 'libseccomp sandboxing active' command never issues and
/etc/named.conf is never processed. I have not touched the configuration here
in a "long long time..."
Is this a kernel bug, a libseccomp bug, what?
Uugh...

Whatever broke, I need to find a solution, and fast, this is the mail host
for my office and it is now rejecting all mail, e.g.:

Mar 12 09:06:23 phoinix postfix/smtpd[1107]: connect from unknown[206.224.69.184]
Mar 12 09:06:23 phoinix postfix/smtpd[1107]: NOQUEUE: reject: RCPT from
unknown[206.224.69.184]: 450 4.7.25 Client host rejected: cannot find your
hostname, [206.224.69.184]; from=<***@email.texasbarcle.com>
to=<***@rankinlawfirm.com> proto=ESMTP helo=<massmail.texasbarcle.com>
Mar 12 09:06:23 phoinix postfix/smtpd[1107]: disconnect from
unknown[206.224.69.184] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4

Downgrading the following solved the problem:

2017-03-12 09:18] [PACMAN] Running 'pacman -U
linux-api-headers-4.7-1-x86_64.pkg.tar.xz
geoip-database-20170207-1-any.pkg.tar.xz linux-4.9.9-1-x86_64.pkg.tar.xz
linux-headers-4.9.9-1-x86_64.pkg.tar.xz openresolv-3.8.1-1-any.pkg.tar.xz
glibc-2.24-2-x86_64.pkg.tar.xz binutils-2.27-1-x86_64.pkg.tar.xz
gcc-libs-6.3.1-1-x86_64.pkg.tar.xz cifs-utils-6.5-1-x86_64.pkg.tar.xz
gcc-6.3.1-1-x86_64.pkg.tar.xz libinput-1.6.2-1-x86_64.pkg.tar.xz
linux-firmware-20170217.12987ca-2-any.pkg.tar.xz
xf86-input-libinput-0.24.0-1-x86_64.pkg.tar.xz
valgrind-3.12.0-1-x86_64.pkg.tar.xz'
[2017-03-12 09:18] [ALPM] transaction started
[2017-03-12 09:18] [ALPM] downgraded linux-api-headers (4.10.1-1 -> 4.7-1)
[2017-03-12 09:18] [ALPM] downgraded geoip-database (20170307-1 -> 20170207-1)
[2017-03-12 09:18] [ALPM] downgraded linux-firmware (20170227.5abb924-1 ->
20170217.12987ca-2)
[2017-03-12 09:18] [ALPM] downgraded glibc (2.25-1 -> 2.24-2)
[2017-03-12 09:18] [ALPM-SCRIPTLET] Generating locales...
[2017-03-12 09:18] [ALPM-SCRIPTLET] en_US.UTF-8... done
[2017-03-12 09:18] [ALPM-SCRIPTLET] Generation complete.
[2017-03-12 09:18] [ALPM] downgraded gcc-libs (6.3.1-2 -> 6.3.1-1)
[2017-03-12 09:19] [ALPM] downgraded linux (4.10.1-1 -> 4.9.9-1)
[2017-03-12 09:19] [ALPM-SCRIPTLET] >>> Updating module dependencies. Please
wait ...
[2017-03-12 09:19] [ALPM] downgraded linux-headers (4.10.1-1 -> 4.9.9-1)
[2017-03-12 09:19] [ALPM] reinstalled openresolv (3.8.1-1)
[2017-03-12 09:19] [ALPM] downgraded binutils (2.28-1 -> 2.27-1)
[2017-03-12 09:19] [ALPM] downgraded cifs-utils (6.7-1 -> 6.5-1)
[2017-03-12 09:19] [ALPM] downgraded gcc (6.3.1-2 -> 6.3.1-1)
[2017-03-12 09:19] [ALPM] downgraded libinput (1.6.3-1 -> 1.6.2-1)
[2017-03-12 09:19] [ALPM] downgraded xf86-input-libinput (0.25.0-1 -> 0.24.0-1)
[2017-03-12 09:19] [ALPM] downgraded valgrind (3.12.0-2 -> 3.12.0-1)
[2017-03-12 09:19] [ALPM] transaction completed
[2017-03-12 09:19] [ALPM] running '99-linux.hook'...
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Building image from preset:
/etc/mkinitcpio.d/linux.preset: 'default'
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c
/etc/mkinitcpio.conf -g /boot/initramfs-linux.img
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Starting build: 4.9.9-1-ARCH
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [udev]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [autodetect]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [mdadm_udev]
[2017-03-12 09:19] [ALPM-SCRIPTLET] Custom /etc/mdadm.conf file will be used
in initramfs for assembling arrays.
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio
image: /boot/initramfs-linux.img
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Image generation successful
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Building image from preset:
/etc/mkinitcpio.d/linux.preset: 'fallback'
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> -k /boot/vmlinuz-linux -c
/etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Starting build: 4.9.9-1-ARCH
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [base]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [udev]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [modconf]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [block]
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for
module: wd719x
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> WARNING: Possibly missing firmware for
module: aic94xx
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [mdadm_udev]
[2017-03-12 09:19] [ALPM-SCRIPTLET] Custom /etc/mdadm.conf file will be used
in initramfs for assembling arrays.
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [filesystems]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [keyboard]
[2017-03-12 09:19] [ALPM-SCRIPTLET] -> Running build hook: [fsck]
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Generating module dependencies
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Creating gzip-compressed initcpio
image: /boot/initramfs-linux-fallback.img
[2017-03-12 09:19] [ALPM-SCRIPTLET] ==> Image generation successful
[2017-03-12 09:19] [ALPM] running 'systemd-hwdb.hook'...
[2017-03-12 09:19] [ALPM] running 'systemd-tmpfiles.hook'...
[2017-03-12 09:19] [ALPM] running 'systemd-update.hook'...
[2017-03-12 09:19] [ALPM] running 'texinfo-install.hook'...

There is a BIG bug in one of those upgrades -- but which one?
--
David C. Rankin, J.D.,P.E.
David C. Rankin
2017-03-12 14:36:48 UTC
Permalink
Raw Message
Post by David C. Rankin
There is a BIG bug in one of those upgrades -- but which one?
If it helps, I had individually downgraded the following and tested, but
named remained broken until I backed out the block of packages containing the
kernel and gcc. I had individually tried:

[2017-03-12 08:33] [ALPM] downgraded bind-tools (9.11.0.P3-2 -> 9.11.0.P3-1)
[2017-03-12 08:33] [ALPM] downgraded bind (9.11.0.P3-2 -> 9.11.0.P3-1)

No change.

[2017-03-12 09:02] [ALPM] downgraded geoip-database (20170307-1 -> 20170207-1)

No change.

[2017-03-12 09:06] [ALPM] downgraded openresolv (3.9.0-1 -> 3.8.1-1)

No change.

2017-03-12 09:18] [ALPM] transaction started
[2017-03-12 09:18] [ALPM] downgraded linux-api-headers (4.10.1-1 -> 4.7-1)
[2017-03-12 09:18] [ALPM] downgraded geoip-database (20170307-1 -> 20170207-1)
[2017-03-12 09:18] [ALPM] downgraded linux-firmware (20170227.5abb924-1 ->
20170217.12987ca-2)
[2017-03-12 09:18] [ALPM] downgraded glibc (2.25-1 -> 2.24-2)
[2017-03-12 09:18] [ALPM-SCRIPTLET] Generating locales...
[2017-03-12 09:18] [ALPM-SCRIPTLET] en_US.UTF-8... done
[2017-03-12 09:18] [ALPM-SCRIPTLET] Generation complete.
[2017-03-12 09:18] [ALPM] downgraded gcc-libs (6.3.1-2 -> 6.3.1-1)
[2017-03-12 09:19] [ALPM] downgraded linux (4.10.1-1 -> 4.9.9-1)
[2017-03-12 09:19] [ALPM-SCRIPTLET] >>> Updating module dependencies. Please
wait ...
[2017-03-12 09:19] [ALPM] downgraded linux-headers (4.10.1-1 -> 4.9.9-1)
[2017-03-12 09:19] [ALPM] reinstalled openresolv (3.8.1-1)
[2017-03-12 09:19] [ALPM] downgraded binutils (2.28-1 -> 2.27-1)
[2017-03-12 09:19] [ALPM] downgraded cifs-utils (6.7-1 -> 6.5-1)
[2017-03-12 09:19] [ALPM] downgraded gcc (6.3.1-2 -> 6.3.1-1)
[2017-03-12 09:19] [ALPM] downgraded libinput (1.6.3-1 -> 1.6.2-1)
[2017-03-12 09:19] [ALPM] downgraded xf86-input-libinput (0.25.0-1 -> 0.24.0-1)
[2017-03-12 09:19] [ALPM] downgraded valgrind (3.12.0-2 -> 3.12.0-1)
[2017-03-12 09:19] [ALPM] transaction completed

Success.

So one of the packages in the block upgrade is the culprit. And candidly it
is probably either the kernel or gcc, but that is just a suspicion.

Should I open a bug, and if so, which package do I open it under?
--
David C. Rankin, J.D.,P.E.
Doug Newgard
2017-03-12 14:41:34 UTC
Permalink
Raw Message
On Sun, 12 Mar 2017 09:36:48 -0500
Post by David C. Rankin
Should I open a bug, and if so, which package do I open it under?
There already is one, has been for a couple of days
Mauro Santos via arch-general
2017-03-12 15:36:53 UTC
Permalink
Raw Message
Post by David C. Rankin
All,
After update to Linux 4.10.1-1, Bind9 cannot connect to 127.0.0.1#953. This
server has been flawless with Bind for 4 years. Now, for example attempting to
It seems other people also have noticed problems:
https://bbs.archlinux.org/viewtopic.php?id=224028

I guess the quick "fix" would be to downgrade the kernel or maybe try
the lts kernel.
--
Mauro Santos
David C. Rankin
2017-03-12 19:37:47 UTC
Permalink
Raw Message
Post by Mauro Santos via arch-general
Post by David C. Rankin
All,
After update to Linux 4.10.1-1, Bind9 cannot connect to 127.0.0.1#953. This
server has been flawless with Bind for 4 years. Now, for example attempting to
https://bbs.archlinux.org/viewtopic.php?id=224028
I guess the quick "fix" would be to downgrade the kernel or maybe try
the lts kernel.
Mauro, Doug,

Thanks, I'll add what I found to the bug. The downgrade solved the problem.
--
David C. Rankin, J.D.,P.E.
Loading...