-
Notifications
You must be signed in to change notification settings - Fork 710
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unbound: check if a restart is required, reload after dnsbl update #4518
Comments
@kulikov-a the dnsbl part looks like a bug indeed, 3facaaa should fix it. Adding more logic in an attempt to "restart unbound" properly I'm not really a fan of. In my opinion most of these restart actions on interface changes shouldn't happen at all, since the service should take care of its own issues. When bound to a dynamic interface one could argue that using a port forward to an internal address would be a safer choice (and is a pattern most other vendors advise as well to prevent cluttering services). Short term I'm not sure if we can detach unbound from the interface reload actions, there's more weird cluttering of interface addresses in it at the moment. |
@AdSchellevis thanks! and sorry, сould you please explain where I am wrong in #4497 ? so not to make mistakes in the future |
@kulikov-a I'm not sure what you mean with the killbypid, but if you add a PR, I'll gladly take a look. about #4497, did I say it's an improper request? If I did, I'll probably have to apologise . I think most of the backend components do support alternative separators, I can't remember how it's organised in the tokeniser to be honest. |
@AdSchellevis |
@kulikov-a certainly not, we're just quite busy. |
@AdSchellevis |
My apologies and clarifications. With a successful launch of unbound-anchor before launching unboud, there is no noticeable time difference between restart and reload (sorry. should have found out before creating a FR. just old PIX droped dns-packets > 512 bytes). another question is whether it is necessary to start unbound-anchor at all if DNSSEC not enabled on onbound. |
@fichtner thanks! |
@kulikov-a we're using a similar approach in https://github.com/opnsense/core/blob/master/src/opnsense/scripts/dns/unbound_dhcpd.py if I'm not mistaken. I'm not perse agains loading the data using unbound-control when unbound itself starts fast enough when the configuration is already there. (in which case you can maintain the database while initial content is more or less complete). It does however complicate loading a bit, since irrelevant items need to be removed as well, which can be challenging. |
@AdSchellevis |
@AdSchellevis |
@kulikov-a just open a PR and I'll try to take a look, in case of the blacklists this might be safer indeed. Better not call configd from configd by the way, although it works, we try to avoid nesting. |
(cherry picked from commit 3facaaa)
Ran into this "bug" today. |
@kulikov-a can this be closed? |
Yes, thanks! |
I promise to take a look now that 21.1-RC1 is out we have master branch for experiments again :) |
I'm not in a hurry, just the PR was mentioned in this FR ) |
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
[+] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
[+] I have searched the existing issues and I'm convinced that mine is new.
Is your feature request related to a problem? Please describe.
Hello everyone.
For now:
pluginctl unbound restart
. typo?-s
missed ?)https://forum.opnsense.org/index.php?topic=20356.0
Describe the solution you'd like
could you consider changes like this:
check if the host_entries.conf file has actually changed before unbound restart
(something like kulikov-a@d799447).
change actions_unbound.conf [dnsbl] command to
/usr/local/opnsense/scripts/unbound/download_blacklists.py && configctl unbound reload
(
pluginctl -s unbound restart
works too. but reload is far more fatser than restart. and imho reload is enough after dnsbl update. UPDATE! in my case difference in time for reload vs restart was due to a failed unbound-anchor launch. not by the procedure itself)Thanks!
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: