Hello all,
I have a question regarding cache size and it’s using. We are running
knot-resolver on RaspberryPI 4 (as secondary cache). Previously we had
256MB cache as tmpfs and hit issue that process crashed due to “No space
left on device (workdir '/var/lib/knot-resolver')” I doubled the site to
512MB, but same issue occurs. My question is why it crash even from the
logs the usage of cache is about 80 percent (same in the case with 256MB).
I taught that kres-cache-gc is taking care about its size and it does not
allow to full the cache and prevent writing to it in the way that main
process crash. Should we increase the cache size or we hit a some bug? Any
other suggestion what could cause that cache is full and not “cleared”?
Thank you for tip and have a nice day. Petr Kyselak
Config:
/etc/fstab
tmpfs /var/cache/knot-resolver tmpfs
rw,size=512m,uid=knot-resolver,gid=knot-resolver,nosuid,nodev,noexec,mode=0700
0 00
-- Cache size
cache.size = cache.fssize() - 10*MB
Logs:
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41
secs, 1038386 records, limit category is 100.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted
using 0.00 MBytes of temporary memory, 0 records skipped due to memory
limit.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0
already gone) types
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0
transactions (OK)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 /
526385152)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41
secs, 1038420 records, limit category is 100.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted
using 0.00 MBytes of temporary memory, 0 records skipped due to memory
limit.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0
already gone) types
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0
transactions (OK)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 /
526385152)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41
secs, 1038420 records, limit category is 100.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: 0 records to be deleted
using 0.00 MBytes of temporary memory, 0 records skipped due to memory
limit.
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Deleted 0 records (0
already gone) types
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: It took 0.00 secs, 0
transactions (OK)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Usage: 81.32% (428077056 /
526385152)
Jun 4 16:32:05 dns-cache-2 kres-cache-gc[548]: Cache analyzed in 1.41
secs, 1038421 records, limit category is 100.
Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] clearing error, falling back
Jun 4 16:32:32 dns-cache-2 kresd[672]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
…
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Main process
exited, code=killed, status=11/SEGV
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
…
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Failed with result
'signal'.
…
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Main process
exited, code=killed, status=11/SEGV
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing failed to get
./.cachelock; retry later
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
…
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Failed with result
'signal'.
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -17
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing error, falling back
…
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] MDB_BAD_TXN, probably
overfull
Jun 4 16:32:32 dns-cache-2 kresd[675]: [cache] clearing because overfull,
ret = -28
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Service
RestartSec=100ms expired, scheduling restart.
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Scheduled restart
job, restart counter is at 1.
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Service
RestartSec=100ms expired, scheduling restart.
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Scheduled restart
job, restart counter is at 1.
Jun 4 16:32:32 dns-cache-2 kresd[30052]: [system] error while loading
config: /usr/lib/knot-resolver/sandbox.lua:400: can't open cache path
'/var/cache/knot-resolver'; working directory '/var/lib/knot-resolver'; No
space left on device (workdir '/var/lib/knot-resolver')
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Main process
exited, code=exited, status=1/FAILURE
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)1.service: Failed with result
'exit-code'.
Jun 4 16:32:32 dns-cache-2 kresd[30051]: [system] error while loading
config: /usr/lib/knot-resolver/sandbox.lua:400: can't open cache path
'/var/cache/knot-resolver'; working directory '/var/lib/knot-resolver'; No
space left on device (workdir '/var/lib/knot-resolver')
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Main process
exited, code=exited, status=1/FAILURE
Jun 4 16:32:32 dns-cache-2 systemd[1]: kresd(a)2.service: Failed with result
'exit-code'.
Hello all,
I am trying to configure my local PC (always on server), to serve DNS
resolving all other computers in my LAN. I installed and enabled the
service. I've attempted configuration. Knot-resolver correctly resolves
DNS querier on localhost machine, but fails to reply to queries from
other LAN machines.
Can someone please share configuration which I should use to have LAN
resolving?
I've tried various net.listen(), net() in config file, to no avail. I've
studied this page
https://knot-resolver.readthedocs.io/en/stable/daemon-bindings-net_server.h…
but I have no idea which option I should put in config to enable my
server PC (192.168.1.44) to allow all PCs in LAN (192.168.1.xxx) to use
knot-resolver.
I'd appreciate if someone with knowledge would help a newbie like me.
Thank you!
pioruns
Hi all,
Is there a way to reload dynamically the knot-resolver configuration
without stopping knot-resolver ?
e.g I have to add this in the config file
extraTrees = policy.todnames({'foo.example.net'})
policy.add(policy.suffix(policy.FLAGS({'NO_CACHE'}), extraTrees))
policy.add(policy.suffix(policy.FORWARD({'192.168.0.15'}), extraTrees))
Is there a sort of CLI command to take it in account ?
Regards
______________________________
*Pierrick CHOVELON I *Ingénieur système
*Advanced Software I IT*
+33 4 77 43 27 05
pierrick.chovelon(a)savoye.com
*SAVOYE - 8, rue de la Richelandière - 42100 - Saint-Etienne - France*
*Savoye recrute ! <https://careers.savoye.com/#!/fr/index> - *www.savoye.com
Dear Knot Resolver users,
Knot Resolver 5.1.0 has been released!
We also have two important announcements:
1) Ubuntu and Debian repositories
Ubuntu and Debian users have to manually set up the upstream repository
once again by following the instructions at:
https://www.knot-resolver.cz/download/
We apologize for the inconvenience, tests are now in place to prevent
this from happening again.
2) The upcoming major version will contain reworked
hints/policy/prefill/rebinding/view modules and related functionalities.
Please participate in the following survey to ensure we do not forget
about your particular use-case:
https://www.knot-resolver.cz/survey/
It will help us to improve Knot Resolver. Thank you!
Our upstream repositories now also provide packages for CentOS 8,
Ubuntu 20.04 and Fedora 32.
And finally, the release notes for version 5.1.0:
Improvements
------------
- cache garbage collector: reduce filesystem operations when idle (!946)
- policy.DEBUG_ALWAYS and policy.DEBUG_IF for limited verbose logging
(!957)
- daemon: improve TCP query latency under heavy TCP load (!968)
- add policy.ANSWER action (!964, #192)
- policy.rpz support fake A/AAAA (!964, #194)
Bugfixes
--------
- cache: missing filesystem support for pre-allocation is no longer
fatal (#549)
- lua: policy.rpz() no longer watches the file when watch is set to
false (!954)
- fix a strict aliasing problem that might've lead to "miscompilation"
(!962)
- fix handling of DNAMEs, especially signed ones (#234, !965)
- lua resolve(): correctly include EDNS0 in the virtual packet (!963)
Custom modules might have been confused by that.
- do not leak bogus data into SERVFAIL answers (#396)
- improve random Lua number generator initialization (!979)
- cache: fix CNAME caching when validation is disabled (#472, !974)
- cache: fix CNAME caching in policy.STUB mode (!974)
- prefill: fix crash caused by race condition with resolver startup
(!983)
- webmgmt: use javascript scheme detection for websockets' protocol
(#546)
- daf module: fix del(), deny(), drop(), tc(), pass() functions
(#553, !966)
- policy and daf modules: expose initial query when evaluating
postrules (#556)
- cache: fix some cases of caching answers over 4 KiB (!976)
- docs: support sphinx 3.0.0+ (!978)
Incompatible changes
--------------------
- minor changes in module API; see upgrading guide:
https://knot-resolver.readthedocs.io/en/stable/upgrading.html
Full changelog:
https://gitlab.labs.nic.cz/knot/knot-resolver/raw/v5.1.0/NEWS
Sources:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz
GPG signature:
https://secure.nic.cz/files/knot-resolver/knot-resolver-5.1.0.tar.xz.asc
Documentation:
https://knot-resolver.readthedocs.io/en/v5.1.0/
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Dobrý den,
dnes po mnoha dnech (měsíců) bezproblémového provozu knot-resolveru
4.2.2 najednou přestal vracet odpovědi na dotazy.
Využívá jej několik tisíc klientů, tak nebyl moc čas na experimerny a
reboot celého stroje pomohl... Ale jen asi na 15min. Pak opět přestal
vracet záznamy, jako by je neměl. Opět reboot a to vydrželo fungovat asi
1.5h a opt přestal komunikovat. To už začalo být vážné, takže jsme
spoustu DNS dotazů na routrech přesměrovali na 8.8.8.8. Mezi tím opět
restart a nyní to již téměř 2h funguje bez problémů.
Vím, že nyní již existuje knot-resolver verze 5.0.1, ale zajímá mě, zda
uvedený problém je známy, jen jsem se sním do dnes nesetkal a v další
verzi opraven, nebo se jedná o neevidovanou anomálii. V logách jsem
totiž našel jen toto:
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Watchdog
timeout (limit 10s)!
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Killing
process 382 (kresd) with signal SIGABRT.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Main process
exited, code=killed, status=6/ABRT
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Failed with
result 'watchdog'.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Service
RestartSec=100ms expired, scheduling restart.
Apr 27 18:17:56 knot-resolver systemd[1]: kresd(a)4.service: Scheduled
restart job, restart counter is at 1.
Předpokládám, že tato nemilá reakce knot-resolveru byla způsobena
nějakým "spatným" dotazem, ať náhodným nebo záměrným.
Nyní jsme opět zrušili přesměrovaní na 8.8.8.8 a téměř okamžitě přestal
odpovídat:
dig @192.168.100.100 -t AAAA www.seZNAm.cz
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @192.168.100.100 -t AAAA www.seZNAm.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64547
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.seZNAm.cz. IN AAAA
;; Query time: 0 msec
;; SERVER: 192.168.100.100#53(192.168.100.100)
;; WHEN: Po dub 27 22:32:04 CEST 2020
;; MSG SIZE rcvd: 42
Děkuji za pomoc
Zdeněk Janiš
Hi,
the package signing key for our upstream repositories has expired and
Debian and Ubuntu users with existing installation need to manually
update the knot-resolver-release package to fix the issue:
wget https://secure.nic.cz/files/knot-resolver/knot-resolver-release.deb
dpkg -i knot-resolver-release.deb
apt update
Otherwise, apt update will report following errors and no new updates
will be installed.
W: GPG error:
http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease: The following signatures were invalid: EXPKEYSIG
74062DB36A1F4009 home:CZ-NIC OBS Project <home:CZ-NIC@build.opensuse.org>
E: The repository
'http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-lates…
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is
therefore disabled by default.
I apologize for the inconvenience.
--
Tomas Krizek
PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869
Hello,
Would it be possible to maintain the Fedora 29 knot-resolver repo for a few
more months? It recently dropped off the mirrors and it's unclear if some
F29 machines will be updated for a few more months.
Thanks!
R
