Created attachment 144319 [details] mark as BROKEN unbound crashes on FreeBSD 10.0+ due to bad interaction with Capsicum framework Log entry looks like this: Jul 1 08:44:16 yourservername unbound: [1892:1] fatal error: event_dispatch returned error -1, errno is Capabilities insufficient It was briefly discussed here: http://comments.gmane.org/gmane.network.dns.unbound.user/2968 I suggest we mark it BROKEN on 10.0+ until this is corrected so users do not run into their production DNS resolvers unexpectedly crashing.
Over to maintainer.
A patch for FreeBSD is comming soon.
Is there any update on this? I'm running into the 'fatal error: event_dispatch returned error -1, errno is Capabilities insufficient' problem at the moment, and it is now two months since the last update. The port really should be marked as broken on 10.x+ until this is resolved.
I received a patch from mjg which fixed it, but of course the fix was in the kernel. I'm going to just commit this change to the unbound port so at least people are aware. Perhaps additional awareness will get the train moving. :-) Thanks for the poke
A commit references this bug: Author: feld Date: Thu Oct 16 13:19:40 UTC 2014 New revision: 371006 URL: https://svnweb.freebsd.org/changeset/ports/371006 Log: Mark unbound BROKEN for FreeBSD 10.0+ if built with libevent There is a known issue that causes random crashes due to poor interaction with Capsicum. PR: 191532 Changes: head/dns/unbound/Makefile
sem, the port has been marked BROKEN to protect users. When a fix has reached a RELEASE please update the port to adjust the BROKEN parameter. Thanks!
A commit references this bug: Author: feld Date: Thu Oct 16 13:52:42 UTC 2014 New revision: 371007 URL: https://svnweb.freebsd.org/changeset/ports/371007 Log: Correct last patch. There is only one libevent now. Pointyhat -> feld PR: 191532 Changes: head/dns/unbound/Makefile
So if I have a kernel without Capiscum installed, I will not trip this error? I think so because I never see this error.
(In reply to Vick Khera from comment #8) > So if I have a kernel without Capiscum installed, I will not trip this > error? I think so because I never see this error. That would be correct. You need the capabilities framework to run into this.
(In reply to Mark Felder from comment #4) > I received a patch from mjg which fixed it, but of course the fix was in the > kernel. Is this patch available somewhere?
According mjg, this is fixed for some time in stable/10 (r273137) and on releng/10.1. IMO the BROKEN state should be removed from unbound port.
(In reply to Renato Botelho from comment #11) > According mjg, this is fixed for some time in stable/10 (r273137) and on > releng/10.1. IMO the BROKEN state should be removed from unbound port. Yes, it should be removed. I'd like to know if we support a way to permit building the package on 10.0 but have it BROKEN for *installing* on 10.0. I don't like the idea of forcing people to run a separate 10.1 poudriere repository just for dns/unbound with LIBEVENT. I'm sure lots of people will have mixed 10.0 and 10.1 servers for some time.
Since LIBEVENT option is off by default, I don't see a problem to build package on 10.0.
That's not quite what I meant. This is what I was trying to communicate: You can't expect every enduser is going to be building from ports and will build this package on 10.1-RELEASE. At my previous job we had our own poudriere servers so we could distribute packages with the custom options we needed. And like the official FreeBSD repositories, we build against the oldest supported version for that release. The problem I want to avoid is breaking the user's ability to have a 10.0-RELEASE package repository and being unable to build unbound with LIBEVENT which they intend to install on a 10.1-RELEASE server. Requiring them to setup another poudriere package repository just for unbound with LIBEVENT is ridiculous and something I hope we can prevent as we have been communicating to users that poudriere is a first class citizen and they should follow our methodology when building packages for their fleet of servers.
A commit references this bug: Author: feld Date: Mon Dec 1 15:05:06 UTC 2014 New revision: 373710 URL: https://svnweb.freebsd.org/changeset/ports/373710 Log: Remove BROKEN for LIBEVENT and 10.0+ and replace with an appropriate warning in the pkg-message PR: 191532 Changes: head/dns/unbound/Makefile head/dns/unbound/files/pkg-message.in
I've replaced the BROKEN with a warning in pkg-message. This should be sufficient to inform users of the dangers without preventing them from running the package on an unaffected system which we do not have the capability to detect.